[OPENAM-11032] Need an option to limit, allow or deny OAuth2.0 flows per application Created: 12/Apr/17  Updated: 17/Jul/18  Resolved: 17/Jul/18

Status: Closed
Project: OpenAM
Component/s: oauth2
Affects Version/s: 13.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Kamal Sivanandam Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: AME
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is required by OPENAM-11479 OAuth 2: Do not allow implicit flow b... Open
Target Version/s:
Epic Link: OAuth2 per-client configuration
Support Ticket IDs:


Need an option in the agent configuration page to allow or deny the 4 flows (authorization code, password credentials, client credentials, implicit grant). Only chosen flows should be available for the those agents/applications. Customers would like to enforce some set of applications always use Authorization code grant and block them from using password credentials grant.

Comment by Andy Hall [ 10/Oct/17 ]

Kamal Sivanandam  Could this be achieved by removing the response type plugins for the OAuth2 Provider Service or the support response types on the OAuth2 client?

Comment by Joe Starling [ 24/Nov/17 ]

The spec references this as a potential error response to the resource owner password flow, which could suggest that the authorization server should somehow be aware of which flows a particular client is authorized to use (or, that some authz servers can outright deny certain grant types...)
The authorization grant type is not supported by the
authorization server.

Comment by Nicolas Guichard [X] (Inactive) [ 25/Nov/17 ]

Hello, I believe the correct error code regarding this issue is : 

The authenticated client is not authorized to use this
authorization grant type.

Generated at Mon Sep 28 00:27:52 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.