Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14135

Support making token endpoint authentication mechanism mandatory for non-OIDC clients


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0,, 7.0.0
    • Fix Version/s: None
    • Component/s: oauth2
    • Labels:


      The fix forĀ OPENAM-5887 made enforcement of the Token Endpoint Authentication Method only apply to OIDC clients as this was an OIDC-specific setting. For normal OAuth clients, they can log in with any supported authentication method. The OAuth Dynamic Client Registration spec made the Token Endpoint Authentication Method part of OAuth 2.0 itself, although it failed to say whether the endpoint method chosen should be mandatory or not.

      From a security point of view, it would be much better if this setting was enforced and that a client attempting to authenticate with a different method than the one indicated in their profile should be rejected. If the client has indicated a strong authentication mechanism such as mTLS or private key JWT, then being able to downgrade to client_secret_post is undesirable.

      If we do not want to break backwards compatibility, we could introduce a new setting on the provider to determine whether this should be enforced. As usual, this should be on for new installations and off for upgrades to preserve existing behaviour.




            • Assignee:
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: