Disable CLIENT_CREDENTIALS grant_type

book

Article ID: 192446

calendar_today

Updated On:

Products

CA Mobile API Gateway CA Rapid App Security

Issue/Introduction

Is it possible to disable an specific grant_type, in this case disable CLIENT_CREDENTIALS grant_type, giving unsuported grant_type if this one is requested.
Use case scenario:
Applications to access the services published in our API-Gateway use custom logins, in which we pass these parameters:
ClientID
ClientSecret
Grant-type
Scopes
User
Pasword
....

And in Policies we validate they have a token with a specific scope.

If somebody gets the ClientID and ClientSecret can get a valid token with the scopes assigned to this client using grant-type CLIENT_CREDENTIALS.

We have created a custom login similar to CLIENT_CREDENTIALS in order to get a valid token for anonymous policies, and in this custom login we can filter what we think is necessary (ex: special scopes reserved for users with usr/pwd login), but with grant-type CLIENT CREDENTIALS can avoid this and get these scopes.

So is there no way to disable this grant-type?



Environment

Release : 4.2

Component : MOBILE API

Resolution

We have not officially defined a way to disable a specific grant type. But this can be done by tweaking the OTK configuration within the Policy - #OTK Configured Grant Types by creating a variable grant_type_client_credentials & setting a dummy string like disable or false or anything other than client_credentials. This will return a 400 Bad Request with 3003119 error. We should recommend the customer to test this throughly before implementing the same in their production.

A sample screen shot is attached: