Rikard Swahn created OLTU-179:
---------------------------------
Summary: Client credentials are required for the Resource Owner
Credentials flow and for refreshing tokens
Key: OLTU-179
URL: https://issues.apache.org/jira/browse/OLTU-179
Project: Apache Oltu
Issue Type: Bug
Components: oauth2-authzserver
Affects Versions: oauth2-1.0.0
Reporter: Rikard Swahn
Client credentials should not be required for the "Resource Owner Password
Credentials Grant" and when refreshing tokens.
About refreshing access tokens, taken from
http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1."
About the Resource Owner Password Credentials Grant, taken from
http://tools.ietf.org/html/rfc6749#page-37 :
"If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
So the PasswordValidator and the RefreshTokenValidator should not set
enforceClientAuthentication = true.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
