000038767 - Generic REST Collector fails OAuth 2.0 when the Client Secret is expected in the Request Body in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 23, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038767
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0
 
IssueA test of a Generic REST Collector fails OAuth 2.0 when a Client Secret is expected to be part of the body of the request (Collectors > Collector Type > {Collector Name} > Test button).

A test in Postman is successful:
 
User-added image


User-added image


 
CauseOAuth 2.0 supports sending the Client Secret in the authorization header or in the body of the request. If the application endpoint expects the Client Secret to be sent as part of the body of the request, the collector fails. An example of an endpoint that expects the Client Secret in the body of the request is Box Business.  

This is a known issue reported in engineering ticket ACM-104883.
 
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
 

Attachments

    Outcomes