Solutions

The authenticated client is not authorized to use this authorization grant type response to an OAuth 2.0 endpoint in AM 6.5.x

Last updated Aug 20, 2019

The purpose of this article is to provide assistance if you encounter the following error when making a call to an OAuth 2.0 endpoint in AM 6.5.x: "The authenticated client is not authorized to use this authorization grant type" or a refresh_token is not issued.


Symptoms

The following error is returned when you make a call to an OAuth 2.0 endpoint using a flow other than authorization_code:

{
  "error": "unauthorized_client",
  "error_description": "The authenticated client is not authorized to use this authorization grant type."
}

In AM 6.5.0.2 (and later 6.5.0.x patches) and AM 6.5.1 onwards, refresh_tokens are not issued even though the Issue Refresh Tokens on Refreshing Access Tokens option is enabled for the OAuth2 provider.

Recent Changes

Upgraded to, or installed AM 6.5 or later.

Causes

Changes were made in AM 6.5 to allow OAuth2 clients to be restricted to particular grant flows. In previous versions, AM/OpenAM would issue tokens for any inbound grant_type. This change means you must explicitly add permitted grant types to each client when you create them; the authorization_code grant type is added to all new clients by default as it's the most secure flow. If a client has not been configured for a particular grant type (for example, Implicit) and you make a call to an OAuth2 endpoint using that grant_type, it will fail with the error shown in the Symptoms section.

Subsequent changes were made in AM 6.5.0.2 and AM 6.5.1 that extends the above behavior to include Refresh Tokens. This means the refresh_token grant type must now be added to OAuth2 clients in order to obtain a refresh token. 

See Release Notes › Improvements in AM 6.5 and Release Notes › Important Changes in AM 6.5.1 for further information about these changes. 

Note

If you upgrade to AM 6.5 and later by following the recommended process to upgrade the data in the configuration store (via the Upgrade Wizard in the console or by using the upgrade tool), all grant types are added to existing clients to maintain backwards compatibility. This means you will only need to configure grant_types for new clients if you have upgraded.

Solution

This issue can be resolved as follows depending on whether you are experiencing issues with existing clients and/or new clients:

Existing clients

Follow the steps in the Upgrade guide to upgrade the data in the configuration store to ensure all existing clients have all grant types (Authorization Code, Back Channel Request, Implicit, Resource Owner Password Credentials, Client Credentials, Refresh Token, UMA, Device Code, SAML2). See Upgrade Guide › To Upgrade From a Supported Version for further information.

New clients

Add permitted grant types to your clients using either the console or Amster:

See Also

How do I perform common OAuth 2.0 tasks using curl commands with the standard endpoints in AM/OpenAM (All versions)?

FAQ: OAuth 2.0 in AM/OpenAM

OAuth 2.0 in AM/OpenAM

OAuth 2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14780 (Refresh token missing when switching from 6.5.0 to 6.5.1)

OPENAM-14111 (Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow)

OPENAM-11032 (Need an option to limit, allow or deny OAuth2.0 flows per application)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...