Return-Path: X-Original-To: apmail-oltu-dev-archive@www.apache.org Delivered-To: apmail-oltu-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E98A2184A6 for ; Mon, 14 Sep 2015 09:39:46 +0000 (UTC) Received: (qmail 55547 invoked by uid 500); 14 Sep 2015 09:39:46 -0000 Delivered-To: apmail-oltu-dev-archive@oltu.apache.org Received: (qmail 55522 invoked by uid 500); 14 Sep 2015 09:39:46 -0000 Mailing-List: contact dev-help@oltu.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@oltu.apache.org Delivered-To: mailing list dev@oltu.apache.org Received: (qmail 55468 invoked by uid 99); 14 Sep 2015 09:39:46 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Sep 2015 09:39:46 +0000 Date: Mon, 14 Sep 2015 09:39:46 +0000 (UTC) From: "Rikard Swahn (JIRA)" To: dev@oltu.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (OLTU-179) Client credentials should only be required for the client credentials flow MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OLTU-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743249#comment-14743249 ] Rikard Swahn edited comment on OLTU-179 at 9/14/15 9:39 AM: ------------------------------------------------------------ Well, you have a point, for the Auto code grant it does not really make sense, the spec has to be wrong or very unclear. In the other flows (Resource Owner Password Credentials and refreshing tokens) it is reasonable to not require it I think. was (Author: rikardswahn): Well, for the Auto code grant it does not really make sense, the spec has to be wrong or very unclear. In the other flows (Resource Owner Password Credentials and refreshing tokens) it is reasonable to not require it I think. > Client credentials should only be required for the client credentials flow > -------------------------------------------------------------------------- > > Key: OLTU-179 > URL: https://issues.apache.org/jira/browse/OLTU-179 > Project: Apache Oltu > Issue Type: Bug > Components: oauth2-authzserver > Affects Versions: oauth2-1.0.0 > Reporter: Rikard Swahn > > Client credentials should not be required for any other flow than the client credentials flow. It is required in Oltu in the "Resource Owner Password Credentials Grant", "Authorization code Grant" (when requesting access token) and when refreshing tokens. > About refreshing access tokens, taken from http://tools.ietf.org/html/rfc6749#page-47 : > "If the client type is confidential or > the client was issued client credentials (or assigned other > authentication requirements), the client MUST authenticate with the > authorization server as described in Section 3.2.1." > > About the Resource Owner Password Credentials Grant, taken from http://tools.ietf.org/html/rfc6749#page-37 : > "If the client type is confidential or the client was issued client > credentials (or assigned other authentication requirements), the > client MUST authenticate with the authorization server as described > in Section 3.2.1. > About the "Authorization code Grant" > http://tools.ietf.org/html/rfc6749#section-4.1.3 : > If the client type is confidential or the client was issued client > credentials (or assigned other authentication requirements), the > client MUST authenticate with the authorization server as described > in Section 3.2.1. > Note however that for the "Authorization code Grant" the "client_id" param is required if client credentials are not given. > So the validators for these cases should not set enforceClientAuthentication = true. -- This message was sent by Atlassian JIRA (v6.3.4#6332)