[
https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743377#comment-14743377
]
Antonio Sanso commented on OLTU-179:
------------------------------------
So this is a typical uses case of the Resource Owner Password Credentials flow:
- the resource owner gives username/password to the client
- the client present its credentials + username/password to the Authorization
Server (AS)
- the AS gives an eccess token to the client
- the client presents the token to the Protected Resources (not that the
username/password isn't use anymore)
If the flow would user only and always username/password than you do not need
OAuth at all....
Mobiles app should use the "Authorization code Grant" flow (or if they have
they might use the Resource Owner Password Credentials flow ) leveraging
dynamic registration.... hence no hardcoded client secret...
> Client credentials should only be required for the client credentials flow
> --------------------------------------------------------------------------
>
> Key: OLTU-179
> URL: https://issues.apache.org/jira/browse/OLTU-179
> Project: Apache Oltu
> Issue Type: Bug
> Components: oauth2-authzserver
> Affects Versions: oauth2-1.0.0
> Reporter: Rikard Swahn
>
> Client credentials should not be required for any other flow than the client
> credentials flow. It is required in Oltu in the "Resource Owner Password
> Credentials Grant", "Authorization code Grant" (when requesting access token)
> and when refreshing tokens.
> About refreshing access tokens, taken from
> http://tools.ietf.org/html/rfc6749#page-47 :
> "If the client type is confidential or
> the client was issued client credentials (or assigned other
> authentication requirements), the client MUST authenticate with the
> authorization server as described in Section 3.2.1."
>
> About the Resource Owner Password Credentials Grant, taken from
> http://tools.ietf.org/html/rfc6749#page-37 :
> "If the client type is confidential or the client was issued client
> credentials (or assigned other authentication requirements), the
> client MUST authenticate with the authorization server as described
> in Section 3.2.1.
> About the "Authorization code Grant"
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
> If the client type is confidential or the client was issued client
> credentials (or assigned other authentication requirements), the
> client MUST authenticate with the authorization server as described
> in Section 3.2.1.
> Note however that for the "Authorization code Grant" the "client_id" param is
> required if client credentials are not given.
> So the validators for these cases should not set enforceClientAuthentication
> = true.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
