[
https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rikard Swahn updated OLTU-179:
------------------------------
Description:
Client credentials should not be required for any other flow than the client
credentials flow. It is required in Oltu in the "Resource Owner Password
Credentials Grant", "Authorization code Grant" and when refreshing tokens.
About refreshing access tokens, taken from
http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1."
About the Resource Owner Password Credentials Grant, taken from
http://tools.ietf.org/html/rfc6749#page-37 :
"If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
About the "Authorization code Grant"
http://tools.ietf.org/html/rfc6749#section-4.1.3 :
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
So these validators should not set enforceClientAuthentication = true.
was:
Client credentials should not be required for the "Resource Owner Password
Credentials Grant" and when refreshing tokens.
About refreshing access tokens, taken from
http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1."
About the Resource Owner Password Credentials Grant, taken from
http://tools.ietf.org/html/rfc6749#page-37 :
"If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
So the PasswordValidator and the RefreshTokenValidator should not set
enforceClientAuthentication = true.
Summary: Client credentials are required (was: Client credentials are
required for the Resource Owner Credentials flow and for refreshing tokens)
> Client credentials are required
> -------------------------------
>
> Key: OLTU-179
> URL: https://issues.apache.org/jira/browse/OLTU-179
> Project: Apache Oltu
> Issue Type: Bug
> Components: oauth2-authzserver
> Affects Versions: oauth2-1.0.0
> Reporter: Rikard Swahn
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Client credentials should not be required for any other flow than the client
> credentials flow. It is required in Oltu in the "Resource Owner Password
> Credentials Grant", "Authorization code Grant" and when refreshing tokens.
> About refreshing access tokens, taken from
> http://tools.ietf.org/html/rfc6749#page-47 :
> "If the client type is confidential or
> the client was issued client credentials (or assigned other
> authentication requirements), the client MUST authenticate with the
> authorization server as described in Section 3.2.1."
>
> About the Resource Owner Password Credentials Grant, taken from
> http://tools.ietf.org/html/rfc6749#page-37 :
> "If the client type is confidential or the client was issued client
> credentials (or assigned other authentication requirements), the
> client MUST authenticate with the authorization server as described
> in Section 3.2.1.
> About the "Authorization code Grant"
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
> If the client type is confidential or the client was issued client
> credentials (or assigned other authentication requirements), the
> client MUST authenticate with the authorization server as described
> in Section 3.2.1.
> So these validators should not set enforceClientAuthentication = true.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
