Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14883

OAuth2/OIDC - Issuing client secret to Public clients during registration

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1, 6.5.1, 6.0.0.7
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 63, AM Sustaining Sprint 64
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      According to https://tools.ietf.org/html/rfc6749:

      The authorization server MUST NOT issue client passwords or other
         client credentials to native application or user-agent-based
         application clients for the purpose of client authentication.  The
         authorization server MAY issue a client password or other credentials
         for a specific installation of a native application client on a
         specific device.
      
      client_secret
            OPTIONAL.  OAuth 2.0 client secret string.  If issued, this MUST
            be unique for each "client_id" and SHOULD be unique for multiple
            instances of a client using the same "client_id".  This value is
            used by confidential clients to authenticate to the token
            endpoint, as described in OAuth 2.0 
      

      How to reproduce the issue

      Allow open registration on OAuth2 Provider and register a public client dynamically:

      curl -s --request POST --header "Content-Type: application/json" --data '{"client_name":"OIC Test Client2","redirect_uris":["https://client.example.com/"],"scope":"openid","client_type":"Public",
      "grant_types":["implicit"],"response_types":["token"],"token_endpoint_auth_method":"none"}' "http://openam.example.com:18080/openam/oauth2/register" | jq . | grep "client_secret"
      
        "client_secret": "sHzYh2KDtIkbSqHXfbcwEdPMDOTvd2GrXyrZQtonSOtESiaP43_R_vgsDDaWWujhRGKNN6_lJfYORVyWQVqUKg",
      
      Expected behaviour
      Client secret shouldn't be issued
      
      Current behaviour
      Client secret is issued
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                anastasios.kampas Tasos Kampas
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: