oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rikard Swahn (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OLTU-179) Client credentials are required
Date Fri, 11 Sep 2015 14:00:50 GMT 

     [ https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rikard Swahn updated OLTU-179:
------------------------------
    Description: 
Client credentials should not be required for any other flow than the client credentials flow.
It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization
code Grant" and when refreshing tokens.

About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
   the client was issued client credentials (or assigned other
   authentication requirements), the client MUST authenticate with the
   authorization server as described in Section 3.2.1."
   
About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37
:
"If the client type is confidential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in Section 3.2.1.  

About the "Authorization code Grant" 
http://tools.ietf.org/html/rfc6749#section-4.1.3 :
  If the client type is confidential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in Section 3.2.1.
Note however that the "client_id" param is required if client credentials are not given.

So these validators should not set enforceClientAuthentication = true.

  was:
Client credentials should not be required for any other flow than the client credentials flow.
It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization
code Grant" and when refreshing tokens.

About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47 :
"If the client type is confidential or
   the client was issued client credentials (or assigned other
   authentication requirements), the client MUST authenticate with the
   authorization server as described in Section 3.2.1."
   
About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37
:
"If the client type is confidential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in Section 3.2.1.  

About the "Authorization code Grant" 
http://tools.ietf.org/html/rfc6749#section-4.1.3 :
  If the client type is confidential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in Section 3.2.1.

So these validators should not set enforceClientAuthentication = true.


> Client credentials are required
> -------------------------------
>
>                 Key: OLTU-179
>                 URL: https://issues.apache.org/jira/browse/OLTU-179
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-1.0.0
>            Reporter: Rikard Swahn
>
> Client credentials should not be required for any other flow than the client credentials
flow. It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization
code Grant" and when refreshing tokens.
> About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47
:
> "If the client type is confidential or
>    the client was issued client credentials (or assigned other
>    authentication requirements), the client MUST authenticate with the
>    authorization server as described in Section 3.2.1."
>    
> About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37
:
> "If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.  
> About the "Authorization code Grant" 
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
>   If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.
> Note however that the "client_id" param is required if client credentials are not given.
> So these validators should not set enforceClientAuthentication = true.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Mime
View raw message