getting Missing or duplicate parameters after upgrading OTK from 4.3 to 4.6
search cancel

getting Missing or duplicate parameters after upgrading OTK from 4.3 to 4.6

book

Article ID: 260427

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have noticed the below issue after upgrading the OTK from 4.3.1 to 4.6.0 

If we pass client_id or client_secret under parameters we are getting error.

Please find the sample request below.

curl --location --request POST 'https://<Gateway_Host>/auth/oauth/v2/token?grant_type=client_credentials&client_id=xxxxxxxxx&client_secret=xxxxxxxxxxx&scope=foo' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--header 'cache-control: no-cache'

{
"error": "invalid_request",
"error_description": "Missing or duplicate parameters"
}
 
But if we pass under body then its working.
 
curl --location --request POST 'https://<Gateway_Host>/auth/oauth/v2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--header 'cache-control: no-cache' \
--data-urlencode 'client_id=xxxxxx' \
--data-urlencode 'client_secret=xxxxxxxx' \
--data-urlencode 'scope=foo' \
--data-urlencode 'grant_type=client_credentials'
 

 

Environment

Release : 10.1

Resolution

Starting with Oauth 4.6 we do not support to pass the client_id and client_secret as query string parameters anymore due to security concerns 

see the Release Notes for Oauth 4.6 .

 

However as of OTK 4.6.2 you can over ride this functionality and send this kind of data via query parameters by updating the #OTK Variable Configuration policy and setting allow_insecure_oauth_params = true .  See this section of the Release Notes for more information