We have noticed the below issue after upgrading the OTK from 4.3.1 to 4.6.0
If we pass client_id or client_secret under parameters we are receiving an error.
Please find the sample request below.
curl --location --request POST 'https://<Gateway_Host>/auth/oauth/v2/token?grant_type=client_credentials&client_id=xxxxxxxxx&client_secret=xxxxxxxxxxx&scope=foo' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--header 'cache-control: no-cache'
{
"error": "invalid_request",
"error_description": "Missing or duplicate parameters"
}
Release : Gateway 10.x, 11.x
OTK 4.6
Starting with Oauth 4.6 we do not support the passing of the client_id and client_secret as query string parameters anymore due to security concerns
see the Release Notes for Oauth 4.6 .
However as of OTK 4.6.2 you can override this functionality and send this kind of data via query parameters by updating the #OTK Variable Configuration policy and setting allow_insecure_oauth_params = true . See this section of the Release Notes for more information