You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oltu.apache.org by "Rikard Swahn (JIRA)" <ji...@apache.org> on 2015/09/14 11:30:45 UTC
[jira] [Comment Edited] (OLTU-179) Client credentials should only
be required for the client credentials flow
[ https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743227#comment-14743227 ]
Rikard Swahn edited comment on OLTU-179 at 9/14/15 9:30 AM:
------------------------------------------------------------
That is how I understand it when I read this: http://tools.ietf.org/html/rfc6749#section-4.1.3
"IF the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate"
(And the same text is used for the other flows also.)
Futhermore, also see the description for client_id:
"REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1."
So that tells us that client authentication is not required.
was (Author: rikardswahn):
That is how I understand it when I read this: http://tools.ietf.org/html/rfc6749#section-4.1.3
"IF the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate"
And the same text is used for the other flows also.
> Client credentials should only be required for the client credentials flow
> --------------------------------------------------------------------------
>
> Key: OLTU-179
> URL: https://issues.apache.org/jira/browse/OLTU-179
> Project: Apache Oltu
> Issue Type: Bug
> Components: oauth2-authzserver
> Affects Versions: oauth2-1.0.0
> Reporter: Rikard Swahn
>
> Client credentials should not be required for any other flow than the client credentials flow. It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization code Grant" (when requesting access token) and when refreshing tokens.
> About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47 :
> "If the client type is confidential or
> the client was issued client credentials (or assigned other
> authentication requirements), the client MUST authenticate with the
> authorization server as described in Section 3.2.1."
>
> About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37 :
> "If the client type is confidential or the client was issued client
> credentials (or assigned other authentication requirements), the
> client MUST authenticate with the authorization server as described
> in Section 3.2.1.
> About the "Authorization code Grant"
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
> If the client type is confidential or the client was issued client
> credentials (or assigned other authentication requirements), the
> client MUST authenticate with the authorization server as described
> in Section 3.2.1.
> Note however that for the "Authorization code Grant" the "client_id" param is required if client credentials are not given.
> So the validators for these cases should not set enforceClientAuthentication = true.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)