Skip to main content

Overview

Authlete version 2.0 and later strictly check client type and client authentication method settings, and values specified in token requests. Some requests which are valid for Authlete 1.1 may be refused.

Difference between 1.1 and 2.0 (and later)

Authlete 1.1Authlete 2.0 and later
Verification policyWhen client secret is included in a token request, Authlete always verifies its value regardless of configuration (it ignores settings for client type and client authentication method). Authlete accepts a token request with no client_id because it can derive the client identifier from other parameters such as authorization code or refresh token.Verification behavior varies with configured values of client type and client authentication method. A) Client type = public: client authentication method must be none; other values cause an error. B) Client type = confidential: client authentication method must not be none; if method is client_secret_basic, client secret must be sent in the Authorization header; if method is client_secret_post, client secret must be sent in request body.
Default settingsClient type: public; client authentication method: client_secret_basicClient type: public; client authentication method: none

 Notes on migrating from Authlete 1.1 to 2.0 and later

In version 1.1, if you have specified client_secret_basic as client authentication method and some client sends a request with client secret in request body, Authlete verifies the value. In version 2.0 and later, clients must include client secret in Authorization header if you have specified client_secret_basic as client authentication method. Thus Authlete 2.0 responds error against such request that is valid for Authlete 1.1.