[OPENAM-7334] Client Authentication method not compliant with OpenID standard Created: 05/Nov/15 Updated: 05/Nov/15 Resolved: 05/Nov/15
|Affects Version/s:||12.0.0, 12.0.1, 12.0.2, 12.0.3|
|Reporter:||Quentin CASTEL [X] (Inactive)||Assignee:||Unassigned|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
In the OpenID standard, the client authentication method can be defined in the configuration of the oauth2 provider (here OpenAM).
In the OpenAM 12 agent profile, the client authentication method can't be defined, therefore the "client_secret_basic" should be used.
However, OpenAM 12 doesn't check the method used.
It means that, if we take for example this request should failed, as it used the "client_secret_post" method:
instead, you will get the access token.
To be compliant with the standard in 12, use the method "client_secret_basic" , like:
As 12 allows request that are not compliant with the standard, you may have some requests failing when upgrading to 13.
As explain above, that's not a regression in 13 but a correction made in 13 to be compliant with the standard.