[OPENAM-7334] Client Authentication method not compliant with OpenID standard Created: 05/Nov/15  Updated: 05/Nov/15  Resolved: 05/Nov/15

Status: Resolved
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3
Fix Version/s: 13.0.0

Type: Bug Priority: Major
Reporter: Quentin CASTEL [X] (Inactive) Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Description of the issue

In the OpenID standard, the client authentication method can be defined in the configuration of the oauth2 provider (here OpenAM).
if not, the "client_secret_basic" will be used.

http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

In the OpenAM 12 agent profile, the client authentication method can't be defined, therefore the "client_secret_basic" should be used.

However, OpenAM 12 doesn't check the method used.

How to reproduce the issue

It means that, if we take for example this request should failed, as it used the "client_secret_post" method:

curl \
 --request POST \
 --data "client_id=myClientID&password=myClientID:changeit&grant_type=password&username=demo&password=changeit&scope=openid%20profile" \
 http://openam.example.com:18080/openam/oauth2/access_token

instead, you will get the access token.

Solution:

To be compliant with the standard in 12, use the method "client_secret_basic" , like:

curl \
 --request POST \
 --user "myClientID:changeit" \
 --data "grant_type=password&username=demo&password=changeit&scope=openid%20profile" \
 http://openam.example.com:18080/openam/oauth2/access_token

Note for people upgrading from 12 to 13:

As 12 allows request that are not compliant with the standard, you may have some requests failing when upgrading to 13.
You will have an error like:

{"error":"invalid_client","error_description":"Invalid authentication method for accessing this endpoint."}

As explain above, that's not a regression in 13 but a correction made in 13 to be compliant with the standard.
In 13, you can configure the client authentication method in the agent profile.
Therefore, for correcting this error, you can:

  • select the appropriate client authentication method in the agent profile
  • correct your request to use the client authentication method defined in the agent profile.

Generated at Fri Oct 23 08:42:18 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.