OAuth 2.0 client should support client_secret_basic #44

tsujiguchitky · 2019-04-08T09:25:29Z

Description

When OpenAM works as OAuth 2.0 Client, client authentication to token endpoint is done by client_secret_post.

However, according to RFC 6979 section 2.3.1, it seems that client_secret_basic should be used rather than client_secret_post.

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).

Solution

Add an option to use client_secret_basic as client authentication in OAuth 2.0 authentication module.

The text was updated successfully, but these errors were encountered:

* OAuth2.0/OIDC authentication module support client_secret_basic

* Issue #44 OAuth 2.0 client should support client_secret_basic * OAuth2.0/OIDC authentication module support client_secret_basic * Remove unnecessary getTokenServicePOSTparametersForBasic()

tsujiguchitky added this to the OpenAM 14.0.0 milestone May 31, 2019

oss-aimoto added a commit that referenced this issue Aug 15, 2019

Issue #44 OAuth 2.0 client should support client_secret_basic

b468b2b

* OAuth2.0/OIDC authentication module support client_secret_basic

tsujiguchitky assigned oss-aimoto Sep 20, 2019

OGIS-RyoKobayashi closed this as completed Oct 25, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OAuth 2.0 client should support client_secret_basic #44

OAuth 2.0 client should support client_secret_basic #44

tsujiguchitky commented Apr 8, 2019

OAuth 2.0 client should support client_secret_basic #44

OAuth 2.0 client should support client_secret_basic #44

Comments

tsujiguchitky commented Apr 8, 2019

Description

Solution