oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rikard Swahn (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OLTU-179) Client credentials should only be required for the client credentials flow
Date Mon, 14 Sep 2015 10:14:45 GMT

    [ https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743325#comment-14743325
] 

Rikard Swahn commented on OLTU-179:
-----------------------------------

[~asanso] I think it is a valid case that an official app would do that. You could also have
a separate endpoint which does the same thing for log in with username and password, but why
not use the oauth flow for it? Or am I missing something?

The spec also says clearly "authenticate the client IF client authentication is included".
For some clients like mobile apps or client side web apps it does not add a lot of security
to give the client credentials too.

> Client credentials should only be required for the client credentials flow
> --------------------------------------------------------------------------
>
>                 Key: OLTU-179
>                 URL: https://issues.apache.org/jira/browse/OLTU-179
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-1.0.0
>            Reporter: Rikard Swahn
>
> Client credentials should not be required for any other flow than the client credentials
flow. It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization
code Grant" (when requesting access token) and when refreshing tokens.
> About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47
:
> "If the client type is confidential or
>    the client was issued client credentials (or assigned other
>    authentication requirements), the client MUST authenticate with the
>    authorization server as described in Section 3.2.1."
>    
> About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37
:
> "If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.  
> About the "Authorization code Grant" 
> http://tools.ietf.org/html/rfc6749#section-4.1.3 :
>   If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1.
> Note however that for the "Authorization code Grant" the "client_id" param is required
if client credentials are not given.
> So the validators for these cases should not set enforceClientAuthentication = true.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message