[OPENAM-11479] OAuth 2: Do not allow implicit flow by default for Confidential clients Created: 03/Aug/17  Updated: 18/Jul/18

Status: Open
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: None
Fix Version/s: None

Type: Improvement
Reporter: Neil Madden Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: AME
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on OPENAM-11032 Need an option to limit, allow or den... Closed
Target Version/s:
Epic Link: OAuth2 per-client configuration


Currently if you register an OAuth 2.0 Confidential client (i.e., one that has client credentials) then by default it has a set of allowed response types that includes the various implicit flows: "token", "id_token" and the various hybrid flows like "code id_token".

These flows do not require client authentication to obtain an access token and/or id token, despite the fact that the client is capable of it. This is probably not a configuration that anyone actually wants.

The spec is silent on whether this should be allowed or not, and there may be some valid reason for wanting this. However, this should probably be an opt-in rather than opt-out situation, as if you leave the settings as their defaults you end up with a questionable security setting.

I suggest we change the default response types to just "code" and require clients to explicitly add the other flows if they want them.

Generated at Wed Oct 21 10:37:21 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.