Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10207

Authorize sending both HTTP Basic Auth credentials and client_id if client secret is not defined

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 14.0.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 32
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      When you send both HTTP Basic Auth credentials and also client_id but no client_secret, you got:

      OAuth2Provider:12/12/2016 04:12:29:806 PM GMT: Thread[http-bio-18080-exec-20,5,main]: TransactionId[142a7e78-6a35-4cf3-911b-5b2ee57743af-1816]
      ERROR: Client (foobar) using multiple authentication methods
      

      And this is correct, as according to RFC 6749, section 2.3.1 states that a client MUST only send a single form of authentication.

      However, passing client_id in the body (but not client_secret) does not constitute credentials and therefore should be permitted.

        Attachments

          Activity

            People

            • Assignee:
              quentin.castel Quentin CASTEL [X] (Inactive)
              Reporter:
              quentin.castel Quentin CASTEL [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: