Pass username and password to Flask Oauth2 Server (password grant type)

2018-06-18 01:23:05

I'm implementing Flask REST API with Flask-Oauthlib and wondering is it ok to pass username and password in URL parameters? For example:

GET http://127.0.0.1:5000/api/token?client_id=CLIENT_ID&grant_type=password&username=myusername&password=hopeudontseemypass

In my development environment all the requests are showing in logs as plain text like this:

127.0.0.1 - "GET /api/token?client_id=CLIENT_ID&grant_type=password&username=myusername&password=hopeudontseemypass HTTP/1.1" 200 -

Is there any way to pass base64 encoded username/pass in request headers? All the password grant type examples are using username and password in URL parameters, so don't know is this a really problem if server will use SSL.

The OAuth protocol spec says that the parameters must be POST-ed to the token endpoint. By accepting them as query parameters the Authorization Server violates the spec. Better use POST to avoid the credentials ending up in log files.

链接地址: http://www.djcxy.com/p/50960.html

上一篇: Python使用内容请求POST JSON数据

下一篇: 将用户名和密码传递给Flask Oauth2服务器（密码授权类型）