For those of you using OAuth 2 authentication method

Following the changes to the Open Data Hub and API gateway there are some changes with OAuth 2 authentication.

The previous version of the gateway allowed a non-standard security protocol for obtaining OAuth bearer tokens. The gateway was allowing the grant type and scope to be passed in as a URL query string. The current version of the gateway has closed this loophole and now you need to ensure these parameters are in the post body.

For example, using curl we previously accepted:
curl -X POST -H “Authorization: Basic xxxxxx” https://api-beta.np.tfnsw.com.au/auth/oauth/v2/token?grant_type=client_credentials&scope=user

Now we only accept:
curl -X POST -H “Authorization: Basic xxxxxx” --data ‘grant_type=client_credentials&scope=user’ https://api.transport.nsw.gov.au/auth/oauth/v2/token

If you were using OAuth 2 authentication for your apps you may continue doing so. However, we strongly encourage the switch to the API Key authentication method as it’s simpler to use and has less issues.

1 Like