[OPENAM-14135] Support making token endpoint authentication mechanism mandatory for non-OIDC clients Created: 14/Dec/18  Updated: 06/May/20

Status: Open
Project: OpenAM
Component/s: oauth2
Affects Version/s: 6.5.0,, 7.0.0
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Neil Madden Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:


The fix forĀ OPENAM-5887 made enforcement of the Token Endpoint Authentication Method only apply to OIDC clients as this was an OIDC-specific setting. For normal OAuth clients, they can log in with any supported authentication method. The OAuth Dynamic Client Registration spec made the Token Endpoint Authentication Method part of OAuth 2.0 itself, although it failed to say whether the endpoint method chosen should be mandatory or not.

From a security point of view, it would be much better if this setting was enforced and that a client attempting to authenticate with a different method than the one indicated in their profile should be rejected. If the client has indicated a strong authentication mechanism such as mTLS or private key JWT, then being able to downgrade to client_secret_post is undesirable.

If we do not want to break backwards compatibility, we could introduce a new setting on the provider to determine whether this should be enforced. As usual, this should be on for new installations and off for upgrades to preserve existing behaviour.

Comment by Neil Madden [ 20/Dec/18 ]

In the current implementation, it is sufficient that the client as the "openid" scope in its allowed scopes to make the token endpoint method mandatory - even if the client does not actually request that scope. However, you may not want to grant a client the openid scope just to enforce a particular client authentication method.

Generated at Tue Nov 24 01:31:18 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.