Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set correct ClientCredentialStyle for use with ClientAssertion #424

Merged
merged 3 commits into from
Apr 9, 2024
Merged

Set correct ClientCredentialStyle for use with ClientAssertion #424

merged 3 commits into from
Apr 9, 2024

Conversation

kbrekke
Copy link
Contributor

@kbrekke kbrekke commented Apr 9, 2024

@josephdecock
Set client credential style to PostBody only if client assertion is set
dced1ba 
Client secrets are not recommended in the post body by RFC 6749. We should use post body (at least by default) only for client assertions.

Also added tests of this behavior.
@josephdecock
Whitespace
f611ad7
josephdecock
josephdecock approved these changes Apr 9, 2024
View reviewed changes
Copy link
Contributor

@josephdecock josephdecock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks very much for catching this @kbrekke! I've updated this to conditionally set the client credential style, because if we are using client secrets instead of client assertions, we shouldn't set them in the post body (doing so is strongly discouraged by RFC 6749).

@josephdecock
Copy link
Contributor

@brockallen, I updated this PR, so would you mind taking a quick look as well? My thinking is that, because client secrets are not recommended in the post body by RFC 6749, and RFC 9126 (PAR) says that

The rules for client authentication as defined in [RFC6749] for token endpoint requests, including the applicable authentication methods, apply for the PAR endpoint as well.

we should use the post body credentials style (at least by default) only for client assertions. Do you agree?

@brockallen brockallen merged commit 9acdb64 into IdentityModel:main Apr 9, 2024
3 checks passed
@brockallen brockallen added the bug label Apr 9, 2024
@brockallen brockallen added this to the 6.0.0 milestone Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josephdecock josephdecock josephdecock approved these changes

@brockallen brockallen brockallen approved these changes

Assignees
No one assigned
Labels
bug
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@kbrekke @josephdecock @brockallen