IMO we should have a config like "strictClientCredentialValidation".
true: must validate the credentials, false*:* validate only when credentials are available in the request. And this check should be done before hitting the BasicAuthClientAuthHandler, at the authentication manager level. We can start from there and then think about integration to the UI, which would be required especially because for mutitenancy scenarios. On Fri, Feb 20, 2015 at 3:04 PM, Nuwandi Wickramasinghe <[email protected]> wrote: > Hi, > > I have some concerns regarding JIRA issue [1] > > If client credentials are unavailable, is it ok to skip client > authentication process in issue() method > (org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer) for SAML2 bearer > type ? > > Also should we give an option for user to select whether client > credentials are optional or not? And fail authentication if no credentials > are available and user says it's mandatory? > > [1] https://wso2.org/jira/browse/IDENTITY-3028 > -- > > Best Regards, > > Nuwandi Wickramasinghe > > Software Engineer > > WSO2 Inc. > > Web : http://wso2.com > > Mobile : 0719214873 > -- Dulanja Liyanage WSO2 Inc. M: +94776764717
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
