[jira] [Commented] (OLTU-179) Client credentials should only be required for the client credentials flow

Mon, 14 Sep 2015 03:14:57 -0700 

    [ 
https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743325#comment-14743325
 ] 

Rikard Swahn commented on OLTU-179:
-----------------------------------

[~asanso] I think it is a valid case that an official app would do that. You 
could also have a separate endpoint which does the same thing for log in with 
username and password, but why not use the oauth flow for it? Or am I missing 
something?

The spec also says clearly "authenticate the client IF client authentication is 
included". For some clients like mobile apps or client side web apps it does 
not add a lot of security to give the client credentials too.

> Client credentials should only be required for the client credentials flow
> --------------------------------------------------------------------------
>
>                 Key: OLTU-179
>                 URL: https://issues.apache.org/jira/browse/OLTU-179
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-1.0.0
>            Reporter: Rikard Swahn
>
> Client credentials should not be required for any other flow than the client 
> credentials flow. It is required in Oltu in the "Resource Owner Password 
> Credentials Grant", "Authorization code Grant" (when requesting access token) 
> and when refreshing tokens.
> About refreshing access tokens, taken from 
> http://tools.ietf.org/html/rfc6749#page-47 :
> "If the client type is confidential or
>    the client was issued client credentials (or assigned other
>    authentication requirements), the client MUST authenticate with the
>    authorization server as described in Section 3.2.1."
>    
> About the Resource Owner Password Credentials Grant, taken from 
> http://tools.ietf.org/html/rfc6749#page-37 :
> "If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.  
> About the "Authorization code Grant" 
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
>   If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.
> Note however that for the "Authorization code Grant" the "client_id" param is 
> required if client credentials are not given.
> So the validators for these cases should not set enforceClientAuthentication 
> = true.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to