•  
      request #14798 The OIDC client plugin should authenticate with BasicAuth when accessing the token endpoint
    Infos
    #14798
    Thomas Gerbet (tgerbet)
    2020-04-20 15:19
    2020-04-17 18:49
    16070
    Details
    The OIDC client plugin should authenticate with BasicAuth when accessing the token endpoint
    As of today the plugin passes the client ID and secret in the body of the request. Per the specification [0] the authorization server might not have implemented this way to authenticate so the plugin might be incompatible with some OpenID Connect (Tuleap itself included). Also, the OAuth2 Framework discourages this usage:

    > Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).



    [0] https://tools.ietf.org/html/rfc6749#section-2.3.1
    Authentication & LDAP
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-04-20
    Attachments
    Empty
    References

    Follow-ups