Should accept request with no client credential in Resource owner password credentials grant

Question

Should accept request with no client credential in Resource owner password credentials grant

thanhpk opened this issue 7 years ago · 3 comments

According to RFC 6749#section-4.3, when authorizing with Resource owner password credentials grant, client MAY NOT provide any client credentials. Hence, osin should not make it mandatory.
best,

Answer 1 · 2017-09-24T03:11:41.000Z

I ran into this, too. What the server expects is at least a valid client_id parameter and an empty client_secret parameter. This worked for me, as I do have a client_id for my trusted single page web app. The empty client_secret parameter is a little weird, but this allows a resource owner password request to grant an access token.

Answer 2 · 2020-08-26T09:35:35.000Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

Answer 3 · 2020-09-25T11:22:46.000Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale