Authentication with Client Secret Basic and Client Secret POST are interchangeable

mitreid-connect / OpenID-Connect-Java-Spring-Server

An OpenID Connect reference implementation in Java on the Spring platform.

Other

1.47k stars 767 forks source link

Authentication with Client Secret Basic and Client Secret POST are interchangeable #1563

Closed jamietanna closed 2 years ago

jamietanna commented 2 years ago

With a client registered with client_secret_basic, authenticating via client_secret_post succeeds:

curl 'http://localhost:8080/openid-connect-server-webapp/token' -d client_id=... -d client_secret=... -d grant_type=client_credentials

As does vice versa - being registered with client_secret_post but authenticating with client_secret_basic.

This may be intended - and I've seen some servers allow this - but thought I'd flag in case it's a problem.

jricher commented 2 years ago

This is intentional behavior from the server. The rationale being that in both cases, the client is using a client secret sent directly to the server, just sending it in different places.