Missing secret attribute in UAA YAML must not be used for any default passwords #2454
Labels
accepted
Accepted the issue
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/185909306 The labels on this github issue will be updated when the story is started. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of UAA are you running?
Dev UAA , 76.19. , latest one
How are you deploying the UAA?
I am deploying the UAA
What did you do?
Defined a client in a yaml file to be provisioned with UAA. Usage was authorization code without a secret. So the client should not have a secret at all.
However the "" (empty) secret is created and can be used, this was unexpected.
What did you expect to see? What goal are you trying to achieve with the UAA?
Omitting a secret should not lead to an empty secret. If I set secret: "" then OK, it was specified in yaml. But the secret was not defined.
What did you see instead?
Code exchange was working with "" secret and the resulted token did no had the claim client_auth_method so from UAA it was a normal client authentication.
The text was updated successfully, but these errors were encountered: