Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15129

registering client with token_endpoint_auth_method=none returns secret

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.5.2, 7.0.0
    • Fix Version/s: 6.5.3, 7.0.0
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 64
    • Story Points:
      2
    • Needs backport:
      No
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      registering client with token_endpoint_auth_method=none returns secret

      How to reproduce the issue

      1. login to admin console
      2. select realm -> [Configure OAuth Provider] -> [Configure OpenID Connect]
      3. click [Applications] -> [OAuth 2.0] -> [Clients] -> [+ Add Client]

      • Clien ID : myClientID
      • Clien Secret : cangetin
      • Scope(s) : dynamic_client_registration
        4. click OAuth2 client created in step3 -> [Advanced] tab
      • add "Client Credentials] to [Grant Types] and save
        5. request access token
        curl -X POST --user "myClientID:cangetin" --data "grant_type=client_credentials&scope=dynamic_client_registration" http://openam.example.com:18080/openam/oauth2/access_token
        

      6. register dynamic client and check response contains "client_secret" and "client_type" is Confidential.

      curl -v --request POST  --header 'authorization: Bearer <access_token>' --header "Content-Type: application/json" --data '{"client_name":"OIC Test Client2","redirect_uris":["https://client.example.com/"],"scope":"openid","token_endpoint_auth_method":"none",
      "grant_types":["implicit"],"response_types":["token"],"token_endpoint_auth_method":"none"}' http://openam.example.com:18080/openam/oauth2/connect/register
      
      Expected behaviour
      response should not contain "client_secret" and "client_type" should be Public
      
      Current behaviour
      response contains "client_secret" and "client_type" is Confidential.
      

      Work around

      N/A

      Code analysis

      https://tools.ietf.org/html/rfc6749#section-2 states developer can choose to specify client_type. When client registers with client_type in metadata OpenAM should use it to determine whether client_type is Public or Confidential.

      On the other hand, https://tools.ietf.org/html/rfc7591#section-2 states

      token_endpoint_auth_method
            *  "none": The client is a public client as defined in OAuth 2.0, Section 2.1, and does not have a client secret.
      

      Therefore, when client_type is not specified and if token_endpoint_auth_method=none, we should mark client_type=Public

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: