Clarification on Federated Authenticators - Client IDs and Client Secrets

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Clarification on Federated Authenticators - Client IDs and Client Secrets

Isuru Uyanage
Hi All, 

When configuring external IDPs through connectors, we have client secret and client ID. Some connectors like Facebook, Pinterest allows space character in the client ID and service provider login is successful.  

Basecamp, Google, LinkedIn, MailChimp and etc connectors do not allow spaces in the Client ID nor did in the Client Secret. 

Amazon does not allow spaces in the Client ID but it allows spaces in the Client Secret. 

I want to clarify how it really should be. Shouldn't any of connectors allow the space in the Client ID and Client secret?

Any feedback would be appreciated. 


Thanks and Best Regards,

Isuru Uyanage
Software Engineer - QA | WSO2
Mobile : <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 77 55 30752




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Clarification on Federated Authenticators - Client IDs and Client Secrets

Godwin Amila Shrimal
Hi Isuru,

AFAIK we don't want to allow spaces for ClientID and Secret since OAuth ClientID and Secret cannot have spaces. @Fara: Please confirm.

Thanks
Godwin


On Wed, Dec 20, 2017 at 8:29 PM, Isuru Uyanage <[hidden email]> wrote:
Hi All, 

When configuring external IDPs through connectors, we have client secret and client ID. Some connectors like Facebook, Pinterest allows space character in the client ID and service provider login is successful.  

Basecamp, Google, LinkedIn, MailChimp and etc connectors do not allow spaces in the Client ID nor did in the Client Secret. 

Amazon does not allow spaces in the Client ID but it allows spaces in the Client Secret. 

I want to clarify how it really should be. Shouldn't any of connectors allow the space in the Client ID and Client secret?

Any feedback would be appreciated. 


Thanks and Best Regards,

Isuru Uyanage
Software Engineer - QA | WSO2
Mobile : <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 77 55 30752






--
Godwin Amila Shrimal
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94772264165

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Clarification on Federated Authenticators - Client IDs and Client Secrets

tharindue
OAuth spec's section [1] doesn't mention the rules on how to generate the client ID and secret values. What it says is the values should be URL encoded. In that case, if it has spaces, those would be converted to %20 and replaced the spaces, which should be OK.

So, IMO it's totally up to the developers of the OAuth authorization servers to decide the format of the client ID and secret. May be that's why different OAuth providers support/doesn't support the spaces.

On Wed, Dec 20, 2017 at 11:49 AM, Godwin Shrimal <[hidden email]> wrote:
Hi Isuru,

AFAIK we don't want to allow spaces for ClientID and Secret since OAuth ClientID and Secret cannot have spaces. @Fara: Please confirm.

Thanks
Godwin


On Wed, Dec 20, 2017 at 8:29 PM, Isuru Uyanage <[hidden email]> wrote:
Hi All, 

When configuring external IDPs through connectors, we have client secret and client ID. Some connectors like Facebook, Pinterest allows space character in the client ID and service provider login is successful.  

Basecamp, Google, LinkedIn, MailChimp and etc connectors do not allow spaces in the Client ID nor did in the Client Secret. 

Amazon does not allow spaces in the Client ID but it allows spaces in the Client Secret. 

I want to clarify how it really should be. Shouldn't any of connectors allow the space in the Client ID and Client secret?

Any feedback would be appreciated. 


Thanks and Best Regards,

Isuru Uyanage
Software Engineer - QA | WSO2
Mobile : <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 77 55 30752






--
Godwin Amila Shrimal
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94772264165

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Clarification on Federated Authenticators - Client IDs and Client Secrets

Isuru Uyanage
Hi Godwin/ Tharindu, 
Thank you for the explanation. 


Regards, 
Isuru 



Thanks and Best Regards,

Isuru Uyanage
Software Engineer - QA | WSO2
Mobile : <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 77 55 30752




On Wed, Dec 20, 2017 at 10:39 PM, Tharindu Edirisinghe <[hidden email]> wrote:
OAuth spec's section [1] doesn't mention the rules on how to generate the client ID and secret values. What it says is the values should be URL encoded. In that case, if it has spaces, those would be converted to %20 and replaced the spaces, which should be OK.

So, IMO it's totally up to the developers of the OAuth authorization servers to decide the format of the client ID and secret. May be that's why different OAuth providers support/doesn't support the spaces.

On Wed, Dec 20, 2017 at 11:49 AM, Godwin Shrimal <[hidden email]> wrote:
Hi Isuru,

AFAIK we don't want to allow spaces for ClientID and Secret since OAuth ClientID and Secret cannot have spaces. @Fara: Please confirm.

Thanks
Godwin


On Wed, Dec 20, 2017 at 8:29 PM, Isuru Uyanage <[hidden email]> wrote:
Hi All, 

When configuring external IDPs through connectors, we have client secret and client ID. Some connectors like Facebook, Pinterest allows space character in the client ID and service provider login is successful.  

Basecamp, Google, LinkedIn, MailChimp and etc connectors do not allow spaces in the Client ID nor did in the Client Secret. 

Amazon does not allow spaces in the Client ID but it allows spaces in the Client Secret. 

I want to clarify how it really should be. Shouldn't any of connectors allow the space in the Client ID and Client secret?

Any feedback would be appreciated. 


Thanks and Best Regards,

Isuru Uyanage
Software Engineer - QA | WSO2
Mobile : <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 77 55 30752






--
Godwin Amila Shrimal
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94772264165

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : <a href="tel:+94%2077%20518%201586" value="+94775181586" target="_blank">+94 775181586



_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev