wso2 API Manager“不支持的客户端身份验证方法！”

Question

I am attempting to use the OAuth2 grant_type=password for a token request as described here with the WSO2 API Manager. Using the following curl command.

curl -k -d "grant_type=password&username=<uname>&password=<pwd>&scope=PRODUCTION" http://localhost:8280/token

The response from this request is:

{"error":"invalid_request","error_description":"Missing parameters: client_id"}

Next, I supply my consumer key and the curl request becomes the following:

curl -k -d "grant_type=password&username=<uname>&password=<pwd>&scope=PRODUCTION&client_id=<myconsumerkey>" http://localhost:8280/token

However, the response is baffling:

{"error":"unsupported_client_authentication_method","error_description":"Unsupported Client Authentication Method!"}

So, my question is does the API Man just not support this grant_type? Or, am I doing something incorrectly here? Should I be looking at the identity server for this grant type?

Cheers

Answer 1

You want to send the client credentials (client key and secret) in HTTP Basic Authorization header. Curl command would be such as following. Here "--user client-Key:client-Secret" has been used to creates the Basic Authorization header using curl command. You can use following command with your values.

curl --user tFVhXORF35S9TTyeaZIH2IEXEw4a:4h6fq4jgRYKrr4v91A_zQgw4Xtoa -k -d "grant_type=password&username=admin&password=admin" -H "Content-Type: application/x-www-form-urlencoded" https://{IP}:{Port}/oauth2/token

Add in to this more, I guess WSO2API does not support to receive client credentials in request body. According to the OAuth 2.0 spec, It is not recommended. Please check here