Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
oauth2-0.31
-
None
-
None
-
JBoss 7.1.1
Description
The OAuthUnauthenticatedTokenRequest(HttpServletRequest) constructor will inappropriately fail if the "client_id" parameter is missing. But it is optional for "Resource Owner Password Credentials Grant". From the specification (section 4.3.2):
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.