You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.
# check if authorisation header is presentunlessauthorization_header.present?# env[HTTP_AUTHORIZATION].present?raise:token_missingend# extract bearer tokenbearer_token_param=authorization_header.extract_bearer_tokenaccess_token=AccessToken.authenticatebearer_token_param# check if access token is validraise:invalid_tokenunlessaccess_token.valid?
Client credentials authorization (using application/x-www-form-urlencoded media type):
Request
The client makes a request to the token endpoint (/oauth/token) by using application/x-www-form-urlencoded format (media type). Only the following parameters can be used:
name
required
description
example
grant_type
REQUIRED
Value Must be set to client_credentials
client_credentials
scope
OPTIONAL
The scope of the access request
read write openid
If Authorization header (Authorization Base base64(client_id:client_secret)) is not used client_id and client_secretMust be used.
e.g.
POST /oauth/token HTTP/1.1
Host: api.example.com
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=client_credentials&client_id=client_a&client_secret=secretpass
The access token issued by the authorisation server.
aCCessTokeN
token_type
REQUIRED
The type of the token issued (bearer)
bearer
expires_in
RECOMMENDED
The lifetime in seconds of the access token.
3600
scope
OPTIONAL
If identical to the scope requested by the client, otherwise REQUIRED
read write openid
NOTICE The authorisation server Must include the HTTP Cache-Control response header field with a value of no-store in any response containing tokens, credentials, or other sensitive information, as well as the Pragma response header field with a value of no-cache.
NOTICE: A refresh token is NOT included
Errors (status code, error code, description):
HTTP status code
error code (error)
description (message)
400 (bad request)
invalid_request
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
401 (unauthorised)
invalid_client
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
400 (bad request)
invalid_grant
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
400 (bad request)
unauthorized_client
The authenticated client is not authorised to use this authorisation grant type.
400 (bad request)
unsupported_grant_type
The authorisation grant type is not supported by the authorisation server.
400 (bad request)
invalid_scope
The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
400 (bad request)
insecure_transport
The OAuth 2 Must utilize https protocol.
e.g.
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
“error” : “invalid_request”,
“error_description” : “The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed.”,
“error_uri” : “https://api.example.com/uaa/oauth/errors/invalid_request”
}
Algorithm:
# validate incoming request
issue **insecure_transport** unless https protocol used
issue **invalid_request** unless media_type equals to the **application/x-www-form-urleconded**
issue **invalid_request** if grant_type param missing
issue **invalid_request** if client authentication via Authorization header AND via client_id and client_secret params
issue **invalid_request** if other params than expected
# validate grant type
issue **unsupported_grant_type** unless grant type is supported by this authorisation server
# validate client credentials
issue **invalid_client** AND set **WWW-Authenticate** if unknown client OR no client authentication credentials OR unsupported authentication method (e.g. client_id and client_secret are passed using url query parameters instead of authorisation header or post query params)
# validate client credentials if they match
issue **invalid_grant** if client credentials are invalid
# validate if client is authorised to this authorisation grant type
issue **unauthorized_client** unless authenticated client is authorised to use this grant type
# validate scope
issue **invalid_scope** unless scopes are well formed and valid (exists, and are allowed for this client)
issue **invalid_scope** unless scopes are included in the client’s authorities array
Refresh token authorization (using application/x-www-form-urlencoded media type):
Request
The client makes a request to the token endpoint (/oauth/token) by using application/x-www-form-urlencoded format (media type). Only the following parameters can be used:
name
required
description
example
grant_type
REQUIRED
Value Must be set to refresh_token
refresh_token
refresh_token
REQUIRED
The refresh token issued to the client.
RefReShToKen
scope
OPTIONAL
The scope of the access request. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.
read write openid
client_id
OPTIONAL
The client id
client_a
client_secret
OPTIONAL
The client secret
AABBCCDD
If Authorization header (Authorization Base base64(client_id:client_secret)) is not used client_id and client_secretMust be used.
authenticate the client (if client authentication is included)
validate refresh token
Notice : since this access token request utilises the resource owner’s password, the authorisation server protects the endpoint against brute force attacks using rate-limitation (up to 5 invalid attempts and than must wait for 5 minutes until next attempt, alerts are generated as well).
The access token issued by the authorisation server.
aCCessTokeN
token_type
REQUIRED
The type of the token issued (bearer)
bearer
expires_in
RECOMMENDED
The lifetime in seconds of the access token.
3600
scope
OPTIONAL
If identical to the scope requested by the client, otherwise REQUIRED
read write openid
NOTICE The authorisation server Must include the HTTP Cache-Control response header field with a value of no-store in any response containing tokens, credentials, or other sensitive information, as well as the Pragma response header field with a value of no-cache.
Errors (status code, error code, description):
HTTP status code
error code (error)
description (message)
400 (bad request)
invalid_request
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
401 (unauthorised)
invalid_client
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
400 (bad request)
invalid_grant
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
400 (bad request)
unauthorized_client
The authenticated client is not authorised to use this authorisation grant type.
400 (bad request)
unsupported_grant_type
The authorisation grant type is not supported by the authorisation server.
400 (bad request)
invalid_scope
The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
400 (bad request)
insecure_transport
The OAuth 2 Must utilize https protocol.
e.g.
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
“error” : “invalid_request”,
“error_description” : “The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed.”,
“error_uri” : “https://api.example.com/uaa/oauth/errors/invalid_request”
}
Algorithm:
# validate incoming request
issue **insecure_transport** unless https protocol used
issue **invalid_request** unless media_type equals to the **application/x-www-form-urleconded**
issue **invalid_request** if grant_type param missing
issue **invalid_request** if refresh_token missing
issue **invalid_request** if client authentication via Authorization header AND via client_id and client_secret params
issue **invalid_request** if other params than expected
# validate grant type
issue **unsupported_grant_type** unless grant type is supported by this authorisation server (it is - so never issued)
# validate client credentials
issue **invalid_client** AND set **WWW-Authenticate** if unknown client OR no client authentication credentials OR unsupported authentication method (e.g. client_id and client_secret are passed using url query parameters instead of authorisation header or post query params)
# validate if client is authorised to this authorisation grant type
issue **unauthorized_client** unless authenticated client is authorised to use this grant type
# refresh token validation validation
issue **invalid_grant** unless refresh token valid
# validate scope
issue **invalid_scope** unless scopes are well formed and valid (exists, and are allowed for this client)
issue **invalid_scope** if scopes includes any scope that was not originally granted by the resource owner.
Incorrect values of either client_id or client_secretMUST issue invalid_client error with The client credentials are invalid description message. The case is valid for every grant type other than client_credentials where incorrect client credentials MUST issue invalid_grant.
Resource owner password credentials authorization (using application/x-www-form-urlencoded media type):
Request
The client makes a request to the token endpoint (/oauth/token) by using application/x-www-form-urlencoded format (media type). Only the following parameters can be used:
name
required
description
example
grant_type
REQUIRED
Value Must be set to password
password
username
REQUIRED
The resource owner username.
foobar
password
REQUIRED
The resource owner password.
pass1234
scope
OPTIONAL
The scope of the access request
read write openid
client_id
OPTIONAL
The client id
client_a
client_secret
OPTIONAL
The client secret
AABBCCDD
If Authorization header (Authorization Base base64(client_id:client_secret)) is not used client_id and client_secretMust be used.
authenticate the client (if client authentication is included)
validate resource owner password credentials
Notice : since this access token request utilises the resource owner’s password, the authorisation server protects the endpoint against brute force attacks using rate-limitation (up to 5 invalid attempts and than must wait for 5 minutes until next attempt, alerts are generated as well).
The access token issued by the authorisation server.
aCCessTokeN
token_type
REQUIRED
The type of the token issued (bearer)
bearer
expires_in
RECOMMENDED
The lifetime in seconds of the access token.
3600
refresh_token
OPTIONAL
The refresh token, which can be used to obtain new access token.
RefResHTokeN
scope
OPTIONAL
If identical to the scope requested by the client, otherwise REQUIRED
read write openid
NOTICE The authorisation server Must include the HTTP Cache-Control response header field with a value of no-store in any response containing tokens, credentials, or other sensitive information, as well as the Pragma response header field with a value of no-cache.
Errors (status code, error code, description):
HTTP status code
error code (error)
description (message)
400 (bad request)
invalid_request
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
401 (unauthorised)
invalid_client
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
400 (bad request)
invalid_grant
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
400 (bad request)
unauthorized_client
The authenticated client is not authorised to use this authorisation grant type.
400 (bad request)
unsupported_grant_type
The authorisation grant type is not supported by the authorisation server.
400 (bad request)
invalid_scope
The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
400 (bad request)
insecure_transport
The OAuth 2 Must utilize https protocol.
e.g.
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
“error” : “invalid_request”,
“error_description” : “The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed.”,
“error_uri” : “https://api.example.com/oauth/errors/invalid_request”
}
Algorithm:
# validate incoming request
issue **insecure_transport** unless https protocol used
issue **invalid_request** unless media_type equals to the **application/x-www-form-urleconded**
issue **invalid_request** if grant_type param missing
issue **invalid_request** if username or password missing
issue **invalid_request** if client authentication via Authorization header AND via client_id and client_secret params
issue **invalid_request** if other params than expected
# validate grant type
issue **unsupported_grant_type** unless grant type is supported by this authorisation server
# validate client credentials
issue **invalid_client** AND set **WWW-Authenticate** if unknown client OR no client authentication credentials OR unsupported authentication method (e.g. client_id and client_secret are passed using url query parameters instead of authorisation header or post query params)
issue **invalid_client** AND set **WWW-Authenticate** if client credentials are invalid
# validate if client is authorised to this authorisation grant type
issue **unauthorized_client** unless authenticated client is authorised to use this grant type
# validate scope
issue **invalid_scope** unless scopes are well formed and valid (exists, and are allowed for this client)
# resource owner credentials validation
check if username and password is valid
if not then issue **invalid_grant** error
Incorrect values of either client_id or client_secretMUST issue invalid_client error with The client credentials are invalid description message. The case is valid for every grant type other than client_credentials where incorrect client credentials MUST issue invalid_grant.
