Strict client authentication checking

Overview


Authlete 2.0 strictly checks configuration values of client type and client authentication method. It refuses some requests which are valid for Authlete 1.1. 

Changes

Authlete 1.1
Authlete 2.0
Verification policy
It verifies a value of client secret in token request regardless of what values are specified for client type and client authentication method.
Its verification varies depending on configured values of client type and client authentication method.
  • A. Client type is public
    • A.1. It responds error if client authentication method is other than NONE.
  • B. Client type is confidential
    • B.1. It responds error if client authentication method is NONE.
    • B.2. It applies additional constraint depending on a value of client authentication method as follows.
      • client_secret_basic:  It responds error if client secret doesn't exist in Authorization header.
      • client_secret_post: It responds error if client secret doesn't exist in request body.
Default settings
  • Client type: public
  • Client authentication method: client_secret_basic
  • Client type: public
  • Client authentication method: none


 Notes on migrating from Authlete 1.1 to 2.0


In version 1.1, if you have specified client_secret_basic as client authentication method and some client sends a request with client secret in request body, Authlete  verifies the value.

In version 2.0, client must include client secret in Authorization header if you have specified client_secret_basic as client authentication method. Thus Authlete 2.0 responds error against such request that is valid for Authlete 1.1.
How did we do with this article?