You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@oltu.apache.org by Mathieu Bernard <ma...@brnrd.fr> on 2014/02/10 17:11:57 UTC

Client authentication using the password flow ?

Hello world,

I'm new to oAuth2 and the Oltu project. It's been a week that I dig and
hack in the project sources.

I'm trying to implement the password grant type flow and I'm surprised to
see that I need to provide client_id and client_secret for this type of
authorization flow. It seems it's due to the boolean
enforceClientAuthentication in PasswordValidator.java.
However, the OAuth's 2 spec (http://tools.ietf.org/html/rfc6749#section-4.3)
state that the usename, password and grant_type are only required.

Why does Oltu force you to add the client authentication when using the
password flow ?
Am I missing something ?

Cheers,
Mathieu.