Hi,
In IS-5.4.1 if there is no client authentication in the token request, we
are giving the error code *unsupported_client_authentication_method*.
According to the spec[1], if there is no client authentication or
unsupported client authentication, it will fall under "invalid_client".
invalid_client
Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
authentication method). The authorization server MAY
return an HTTP 401 (Unauthorized) status code to indicate
which HTTP authentication schemes are supported. If the
client attempted to authenticate via the "Authorization"
request header field, the authorization server MUST
respond with an HTTP 401 (Unauthorized) status code and
include the "WWW-Authenticate" response header field
matching the authentication scheme used by the client.
According to the spec, there is no standard error code like
*unsupported_client_authentication_method.
*Is there any specific reason to introduce a new error code
*unsupported_client_authentication_method *in IS5.4.1?.
Example:-
request:-
curl -H -k -d "grant_type=client_credentials" -H
"Content-Type:application/x-www-form-urlencoded"
https://localhost:9443/oauth2/token -k
response:-
{"error_description":"Unsupported Client Authentication
Method!","error":"unsupported_client_authentication_method"}
Please correct me if I'm wrong.
[1] https://tools.ietf.org/html/rfc6749#section-5.2
Thanks,
Nila.
--
Nilasini Thirunavukkarasu
Software Engineer - WSO2
Email : nilas...@wso2.com
Mobile : +94775241823
Web : http://wso2.com/
<http://wso2.com/signature>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
