request #14798 The OIDC client plugin should authenticate with BasicAuth when accessing the token endpoint

Artifact

Infos

Artifact ID#14798

Submitted byThomas Gerbet (tgerbet)

Last Modified On2020-04-20 15:19

Submitted on2020-04-17 18:49

Rank16067

Details

Summary *

The OIDC client plugin should authenticate with BasicAuth when accessing the token endpoint

Original Submission

As of today the plugin passes the client ID and secret in the body of the request. Per the specification [0] the authorization server might not have implemented this way to authenticate so the plugin might be incompatible with some OpenID Connect (Tuleap itself included). Also, the OAuth2 Framework discourages this usage:

> Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

[0] https://tools.ietf.org/html/rfc6749#section-2.3.1

CategoryAuthentication & LDAP

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?