Hi Lorenzo. You need a header called X-Service with the value client_id, besides you shoud not send client_secret. If you send client_secret you are always validating the service definition (client_id/client_secret) not validating user/password.
Example: curl -X POST \ https://cas.server/cas/oauth2.0/token \ -H 'Accept: */*' \ -H 'Cache-Control: no-cache' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Host: cas.server' \ -H 'X-Service: PostmanOAUTHPASSWD' \ -H 'accept-encoding: gzip, deflate' \ -H 'cache-control: no-cache' \ -d 'grant_type=password&client_id=PostmanOAUTHPASSWD&username=USUARIO&password=PASSWD&scope=SCOPE1' El miércoles, 13 de febrero de 2019, 9:57:11 (UTC+1), Lorenzo Di Cola escribió: > > Hi all, > I'm using CAS 5.3.7 and I'm working on the OAuth authentication following > the guide [1]. I need to use the Resource Owner Credentials [2]. > I'm calling the endpoint */oauth2.0/accessToken *passing the parameters > *grant_type=password&client_id=ID&client_secret=<SECRET>&username=USERNAME&password=PASSWORD* > > (obviously). > With the same user's credentials passed to the previous call I'm able to > login successfully inside CAS. > The issue for me is: if during the call at the endpoint > */oauth2.0/accessToken > *I set, in the parameters, a wrong username and/or a wrong password I'm > always able to get the Access Token. > I tried to search inside the code where the authentication, in this > endpoint, should be done but I was not able to find it. > Is it possible that the authentication, for this endpoint, is never done? > > Thanks all for your support. > Best regards, > Lorenzo Di Cola > > [1] > https://apereo.github.io/cas/5.3.x/installation/OAuth-OpenId-Authentication.html#oauthopenid-authentication > [2] > https://apereo.github.io/cas/5.3.x/installation/OAuth-OpenId-Authentication.html#resource-owner-credentials > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/19e35031-67bc-4ed8-b148-1a5476b6d6ef%40apereo.org.
