Follow on from #815

Now with a new test script: https://gist.github.com/micolous/e54b84dec86fcc45754c5c429ed834c4

Whenever a client uses HTTP Basic authentication to provide its client_id, claims from the tokenCallbacks[].requestMappings[].claims config option are missing.

Running the above script with --attempt_count 1 --refresh_count 0 --client_id_in_query (which requests tokens with client_id=test) returns custom claims provided in requestMappings[].claims, as expected.

Running the above script with --attempt_count 1 --refresh_count 0 --client_id_in_query --http_basic_auth (which requests tokens with client_id=test and HTTP Basic auth) does not return custom claims provided in requestMappings[].claims.

It also fails for --attempt_count 1 --refresh_count 0 --http_basic_auth (which only uses HTTP Basic auth) – but I don't think there is anyway to set DefaultOAuth2TokenCallback options from JSON.

Authorisation servers MUST support using HTTP Basic authentication per RFC 6749 s2.3.1, and using query parameters to pass the client_id is NOT RECOMMENDED per the same spec.

Environment

Running mock-oauth2-server 2.1.10 in Docker, with this config:

{ "httpServer": { "type": "NettyWrapper", "ssl": { "keyPassword": "", "keystoreFile": "/run/secrets/server_p12", "keystoreType": "PKCS12", "keystorePassword": "" } }, "interactiveLogin": true, "tokenCallbacks": [ { "issuerId": "test-issuer", "tokenExpiry": 90, "requestMappings": [ {"requestParam": "client_id", "match": "*", "claims": {"customClaim": ["foo"]}} ] } ] }

This also is an issue when "match": "test".