Strict client authentication checking
Overview
Authlete 2.0 strictly checks configuration values of client type and client authentication method. It refuses some requests which are valid for Authlete 1.1.
Changes
Notes on migrating from Authlete 1.1 to 2.0
In version 1.1, if you have specified client_secret_basic as client authentication method and some client sends a request with client secret in request body, Authlete verifies the value.
In version 2.0, client must include client secret in Authorization header if you have specified client_secret_basic as client authentication method. Thus Authlete 2.0 responds error against such request that is valid for Authlete 1.1.
How did we do with this article?