Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13839

RFE: Check client type before checking Authorization Header


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: oauth2
    • Support Ticket IDs:


      Customer has requested we improve how the client credentials are read when the client type is Public.

      In openam-oauth2/src/main/java/org/forgerock/openam/oauth2/ClientCredentialsReader.java there is:

      if (req.getChallengeResponse() != null) { basicAuth = true; }

      https://restlet.com/open-source/documentation/javadocs/2.1/jse/api/org/restlet/Request.html says getChallengeResponse:

      Returns the authentication response sent by a client to an origin server. Note that when used with HTTP connectors, this property maps to the "Authorization" header.

      AM is checking the Authorization header for credentials without checking if the client is Public and therefore not needing to check the HTTP Basic Auth credentials. Customer has asked that we check client type before applying this validation. OAuth2 RFC states:

      The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

      So, in this case AM should not rely on trying to identify the OAuth client using the provided Authorization header because we have set up our OAuthClient as "Public".




            • Assignee:
              aaron.haskins Aaron Haskins
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: