Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix issues related to OAuth Resource owner password grant flow #4238
Summary: When using CAS as OIDC provider, and when we want to use username/password for authentication, CAS was not working as expected.
When we have a service registered as Confidential client giving it a
We found following issues which are fixed in this PR.
Expected behaviour is to return
Expected behaviour is to return access token for the user authenticated by provided credentials.
As a fix for this, added a check in
There are couple of other issues which are fixed related to this flow.
@@ Coverage Diff @@ ## master #4238 +/- ## ========================================= Coverage ? 63.52% Complexity ? 7478 ========================================= Files ? 1653 Lines ? 36229 Branches ? 3364 ========================================= Hits ? 23015 Misses ? 11020 Partials ? 2194
This seems problematic; if someone has not defined scopes for the service, that would mean that the user does not wish to release anything to the relying party; thus the emptiness. An empty collection of scopes basically is a deny-all. Allowing all scopes will not work as that would be rather surprising behavior and inconsistent with the general attribute release policies in CAS; scopes must always be explicitly defined, as should all other attributes in all other protocol implementations.
Perhaps you can make this optional with some sort of flag, but even then, I think you'd be introducing additional complexity.
The rest looks pretty good, thank you!