Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15292

The OAuth2 dynamic client registration flow should default to empty response_types for clients with grant_types which do not support redirection

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0, 6.5.0.1, 6.5.1, 6.5.0.2, 6.5.2
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 65, AM Sustaining Sprint 66
    • Story Points:
      2

      Description

      Unless explicitly defined in the POST body, the OAuth2 Dynamic Client Registration flow defaults to response_types=code regardless of the grant_types parameter specified. This in turn results in the need to specify a never used redirect_uri parameter.

      Flows which do not support redirection such as client_credentials and Resource Owner Password Grant should not require response_types to be specified and instead should default to "response_types": [] (i.e. a blank value) and thus not require the redirect_uri parameter to be specified.

      Currently unless response_types is explicitly defined in the POST body with "response_types": [], regardless of the grant_types specified, a redirect_uri is required, which is breaking change client side registration APIs upgrading to AM 6.5.x.

      Example working request:

      curl \
       --request POST \
       --header "Content-Type: application/json" \
       --data '{
       "response_types": [],
       "client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
       "client_uri": "https://client.example.com/"
       }' \
       http://openam.test.com:8495/openam/oauth2/realms/root/connect/register
      

      Example broken request:

      curl \
       --request POST \
       --header "Content-Type: application/json" \
       --data '{
       "client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
       "client_uri": "https://client.example.com/"
       }' \
       http://openam.test.com:8495/openam/oauth2/realms/root/connect/register
      

      Which returns:

      {
        "error": "invalid_client_metadata",
        "error_description": "Specified response_types required redirect_uris to be set."
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                shokard Darinder Shokar
              • Votes:
                1 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated: