pythonauthenticationflaskoauth-2.0flask-oauthlib

Pass username and password to Flask Oauth2 Server (password grant type)


I'm implementing Flask REST API with Flask-Oauthlib and wondering is it ok to pass username and password in URL parameters? For example:

GET http://127.0.0.1:5000/api/token?client_id=CLIENT_ID&grant_type=password&username=myusername&password=hopeudontseemypass

In my development environment all the requests are showing in logs as plain text like this:

127.0.0.1 - "GET /api/token?client_id=CLIENT_ID&grant_type=password&username=myusername&password=hopeudontseemypass HTTP/1.1" 200 -

Is there any way to pass base64 encoded username/pass in request headers? All the password grant type examples are using username and password in URL parameters, so don't know is this a really problem if server will use SSL.


Solution

  • The OAuth protocol spec says that the parameters must be POST-ed to the token endpoint. By accepting them as query parameters the Authorization Server violates the spec. Better use POST to avoid the credentials ending up in log files.