[jira] [Commented] (OLTU-179) Client credentials should only be required for the client credentials flow

Mon, 14 Sep 2015 05:45:08 -0700 

    [ 
https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743462#comment-14743462
 ] 

Antonio Sanso commented on OLTU-179:
------------------------------------

I agree the spec is ambiguous. In any case in Oltu we cover already this in 
{{OAuthUnauthenticatedTokenRequest}}. So marked this as fixed :)

> Client credentials should only be required for the client credentials flow
> --------------------------------------------------------------------------
>
>                 Key: OLTU-179
>                 URL: https://issues.apache.org/jira/browse/OLTU-179
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-1.0.0
>            Reporter: Rikard Swahn
>
> Client credentials should not be required for any other flow than the client 
> credentials flow. It is required in Oltu in the "Resource Owner Password 
> Credentials Grant", "Authorization code Grant" (when requesting access token) 
> and when refreshing tokens.
> About refreshing access tokens, taken from 
> http://tools.ietf.org/html/rfc6749#page-47 :
> "If the client type is confidential or
>    the client was issued client credentials (or assigned other
>    authentication requirements), the client MUST authenticate with the
>    authorization server as described in Section 3.2.1."
>    
> About the Resource Owner Password Credentials Grant, taken from 
> http://tools.ietf.org/html/rfc6749#page-37 :
> "If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.  
> About the "Authorization code Grant" 
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
>   If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.
> Note however that for the "Authorization code Grant" the "client_id" param is 
> required if client credentials are not given.
> So the validators for these cases should not set enforceClientAuthentication 
> = true.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to