oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rikard Swahn (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OLTU-179) Client credentials are required for the Resource Owner Credentials flow and for refreshing tokens
Date Fri, 11 Sep 2015 12:37:45 GMT
Rikard Swahn created OLTU-179:
---------------------------------

             Summary: Client credentials are required for the Resource Owner Credentials flow
and for refreshing tokens
                 Key: OLTU-179
                 URL: https://issues.apache.org/jira/browse/OLTU-179
             Project: Apache Oltu
          Issue Type: Bug
          Components: oauth2-authzserver
    Affects Versions: oauth2-1.0.0
            Reporter: Rikard Swahn


Client credentials should not be required for the "Resource Owner Password Credentials Grant"
and when refreshing tokens.

About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
   the client was issued client credentials (or assigned other
   authentication requirements), the client MUST authenticate with the
   authorization server as described in Section 3.2.1."
   
About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37
:
"If the client type is confidential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in Section 3.2.1.  

So the PasswordValidator and the RefreshTokenValidator should not set enforceClientAuthentication
= true.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message