Are Client Credentials optional in the oAuth2 Resource Owner Password Credentials Grant flow?

4
votes

4.3.2 of RFC 6749 (which describes the "Resource Owner Password Credentials Grant flow" of the oauth2 Authorization Framework) states:

If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.

Can't seem to find a reference as to what a "confidential client" is. From this it seems that it's allowed to have non-confidential clients participate in the "Resource Owner Password Credentials Grant flow" (4.3). I.e. clients that won't (and can't) authenticate themselves with the Authorization Server.

Is this correct?

2
oauthoauth-2.0

2 Answers

3
votes

Check out the client types section, where the definition of "confidential clients" is given as:

Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.

Cloudfoundry's command-line cf application is an example of a "public" (i.e. non-confidential) client which uses the password grant.

1
votes

Section 2.3 of the oauth2 specification has the following paragraph:

The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

Where a public client is defined in section 2.1 as:

Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.

So, you can (optionally) authenticate the client but not take that the mean that the client is who it says it is.