Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5887

Token Endpoint Authentication Method does not work correctly with OAuth2 clients

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0
    • Fix Version/s: 13.0.0
    • Component/s: oauth2
    • Labels:
    • Environment:
      23 Apr 2015 13.0.0 nightly trunk build #1037, SVN r13544.
      This is the revision into which the oidc-conf branch was merged.
    • Sprint:
      Sprint 84 - Team Newton

      Description

      For OpenID Connect, a Token Endpoint Authentication Method parameter was added, with a choice of client_secret_basic, client_secret_post or private_key_jwt. However, for an OAuth2 client, the first two client authentication methods are both valid for an access token request and there is no concept of a client registration declaring beforehand which one it will use. See RFC-6749 §3.2.1 and §2.3. This would be why we allowed either type of client authentication in the past. This mechanism still needs to work as it did before for OAuth2 clients.

      This is causing many OAuth2 regression tests to fail in the three flows that use the access token endpoint.

        Attachments

          Activity

            People

            • Assignee:
              david.luna@forgerock.com David Luna
              Reporter:
              GErickson Garyl Erickson
              QA Assignee:
              Garyl Erickson
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: