Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13933 Client Policies
  3. KEYCLOAK-17928

Determine public client based on "token_endpoint_auth_method" during OIDC dynamic client registration

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 14.0.0
    • Component/s: None
    • Labels:
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      We should review how we determine that client is public client during OIDC client registration? It seems that during OIDC client registration, we set client as public client just in case of implicit flow.

      I think It will be correct to instead do this based on the "token_endpoint_auth_method" .

      Few references in the specification:

      • token_endpoint_auth_method
            OPTIONAL. Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. 
        

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mposolda Marek Posolda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: