Require client authentication for confidential clients
Created by: wansir
ks-console use Resource Owner Password Credentials Grant Flow issuing access_token. For security reasons, client authentication for confidential clients is required when posting an access token request. client_secret and client_id are configurable.
Related to: https://github.com/kubesphere/kubesphere/pull/3525
The authorization server MUST:
- require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements)
- authenticate the client if client authentication is included, and
- validate the resource owner password credentials using its existing password validation algorithm.
Example:
$ curl -X POST 'http://ks-apiserver.kubesphere-system.svc/oauth/token' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'username=admin' --data-urlencode 'password=P@88w0rd' --data-urlencode 'client_id=default' --data-urlencode 'client_secret=kubesphere'
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzE4Njg1NjcsImlhdCI6MTYzMTg2MTM2NywiaXNzIjoiaHR0cHM6Ly9rcy53YW5zaXIuY29tL29hdXRoIiwic3ViIjoiYWRtaW4iLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwidXNlcm5hbWUiOiJhZG1pbiJ9.7aBzY1QExGiLctXK6EUQ00fyjNorXWSc2D7IugtIBwI",
"token_type": "Bearer",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzE4NzU3NjcsImlhdCI6MTYzMTg2MTM2NywiaXNzIjoiaHR0cHM6Ly9rcy53YW5zaXIuY29tL29hdXRoIiwic3ViIjoiYWRtaW4iLCJ0b2tlbl90eXBlIjoicmVmcmVzaF90b2tlbiIsInVzZXJuYW1lIjoiYWRtaW4ifQ.uqlLaZ9hJHqSinprhRxOGXd8bSft6Gqq07bCwo2dLew",
"expires_in": 7200
}%