Closed jamietanna closed 2 years ago
With a client registered with client_secret_basic, authenticating via client_secret_post succeeds:
client_secret_basic
client_secret_post
curl 'http://localhost:8080/openid-connect-server-webapp/token' -d client_id=... -d client_secret=... -d grant_type=client_credentials
As does vice versa - being registered with client_secret_post but authenticating with client_secret_basic.
This may be intended - and I've seen some servers allow this - but thought I'd flag in case it's a problem.
This is intentional behavior from the server. The rationale being that in both cases, the client is using a client secret sent directly to the server, just sending it in different places.
With a client registered with
client_secret_basic
, authenticating viaclient_secret_post
succeeds:As does vice versa - being registered with
client_secret_post
but authenticating withclient_secret_basic
.This may be intended - and I've seen some servers allow this - but thought I'd flag in case it's a problem.