Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
oauth2-1.0.0
-
None
-
None
Description
Client credentials should not be required for any other flow than the client credentials flow. It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization code Grant" (when requesting access token) and when refreshing tokens.
About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1."
About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37 :
"If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
About the "Authorization code Grant"
http://tools.ietf.org/html/rfc6749#section-4.1.3 :
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
Note however that for the "Authorization code Grant" the "client_id" param is required if client credentials are not given.
So the validators for these cases should not set enforceClientAuthentication = true.
Attachments
Issue Links
- incorporates
-
OLTU-163 GrantType password and Missing parameters: client_secret
-
- Resolved
-