Humanstate / mojolicious-plugin-oauth2-server / 92 / 5
96%
master: 96%

DEFAULT BRANCH: master
Ran
Files 1
Run time 0s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 95.556% (+0.2%) from 95.385%
92.5

push

travis-ci

leejo 
resolve #4 - password grant uses Auth header

According to: https://tools.ietf.org/html/rfc6749#section-4.3.2

    If the client type is confidential or the client was issued client
    credentials (or assigned other authentication requirements), the
    client MUST authenticate with the authorization server as described
    in Section 3.2.1.

Which goes around the houses to point at:
https://tools.ietf.org/html/rfc6749#section-2.3.1

               ... The authorization server MUST support the HTTP Basic
    authentication scheme for authenticating clients that were issued a
    client password.

    For example (with extra line breaks for display purposes only):

     Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

    Alternatively, the authorization server MAY support including the
    client credentials in the request-body ...

So for the Password grant we should be able to get the client_id and
client_secret from the `Authorization` header if it is available and not
rely on these being available in the `->param` hash

The problem with the spec as documented in section 4.3.2 is that it
stipulates:

    The authorization server MUST:

   o  require client authentication for confidential clients or for any
      client that was issued client credentials (or with other
      authentication requirements),

and we currently don't define exactly which clients are confidential
for the password grant when using the modules out of the box with the
minimum configuration and no overrides.

TODO: perhaps we could tweak the config hash for password grant to
specify which clients are confidential or were issued client credentials
as currently the logic here will allow either an Auth header or the
defaults in the query params

129 of 135 relevant lines covered (95.56%)

25.99 hits per line

Source Files on job 92.5