Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13933 Client Policies
  3. KEYCLOAK-17928

Determine public client based on "token_endpoint_auth_method" during OIDC dynamic client registration

    XMLWordPrintable

Details

    • Sub-task
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 14.0.0
    • None
    • NEW
    • NEW

    Description

      We should review how we determine that client is public client during OIDC client registration? It seems that during OIDC client registration, we set client as public client just in case of implicit flow.

      I think It will be correct to instead do this based on the "token_endpoint_auth_method" .

      Few references in the specification:

      • token_endpoint_auth_method
            OPTIONAL. Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. 
        

      Attachments

        Activity

          People

            Unassigned Unassigned
            mposolda@redhat.com Marek Posolda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: