The SP adapter does not pass the realm to the access_token endpoint; only client_id, grant_type and assertion are sent.
User has setup SAML 2.0 bearer assertion profile for OAuth 2.0 under a sub-realm. IDP-inited single sign on succeeds but the /access_token endpoint returns:
{"error_description":"Client authentication failed","error":"invalid_client"}EDIT:
The SAML 2.0 bearer was not bind. This issue also affected the top realm. The current fix only bind the SAML bearer which solve the issue on the top realm. However, the issue still exist on the realm : see OPENAM-6552
- relates to
-
OPENAM-6552 access_token request sent by OAuth2Saml2GrantSPAdapter is not realm aware
-
- Resolved
-