AM checks for secret stores even for non tls_client_auth OAuth2Clients

I have 2 OAuth2 clients

  • Client1 : Token Endpoint Authentication Method = client_secret_post
  • Client2 : Token Endpoint Authentication Method = tls_client_auth

For Client2, the Secret Stores (with the certs, alias mapping etc…) are configured

When we request access token for client2, the secret store is evaluated, validated and access token generated as expected.

However, when we request access token for Client1 using /oauth2/customer/access_token - the interesting part is that - the Secret Store is evaluated as well though Client1 does not deal with certs and does not require the secret store (Client1 just uses client_secret_post as auth method)

This seems overkill, ideally secret store should be evaluated only when request access token for a client that has auth method as tls_client_auth

Also to be noted that the alias configured needs to be available in the keystore - throws exception - could have skipped…

In a nutshell if something goes wrong with the secret store (say alias unavailable) , the entire AM access token functionality would be broken, basically no client can request access token till secret store is fixed.

Probably there is a valid reason behind this design, I am just curious to understand the same.

Thank you

Are you not signing or encrypting your tokens? Those would necessitate a lookup in the secret store.