Client ID behavior in security requirement processing

Security requirement processing checks for the client_id in defined locations. When a client_id is found in more than one location, the request is rejected. This behavior is to comply with RFC 6749 and to protect against threats where an attacker attempts to glean ID validity and API security requirements by passing a client_id in multiple locations.

The following table explains the response code that is based on the security requirement and the locations of more than one client_id in a request.

Table 1. Client ID behavior
Case Security requirement definition Response code
1 Allow client_id in the query, and the request contains more than one client_id in the query. 401 Invalid client ID or secret.
2 Allow client_id in the header, and the request contains more than one client_id in the header. 401 Invalid client ID or secret.
3 Allow client_id in the header, and the request contains one or more client_id in the query and one client_id in the header. 200 OK

Only the header is checked.

4 Allow client_id in the query, and the request contains one or more client_id in the header and one client_id in the query. 200 OK

Only the query is checked.

5 Allow client_id in the header or the query, and the request contains one or more client_id in both the header and query. 401 Invalid client ID or secret.
6 Allow client_id in the query, and the request contains a valid client_id in the header an invalid client_id in the query. 401 Invalid client ID or secret.
7 Allow client_id in the header, and the request contains an invalid client_id in the header a valid client_id in the query. 401 Invalid client ID or secret.
8 Allow client_id in the header or query, and the request contains a valid client_id in both the header and query. 403 Multiple client IDs.
9 Allow client_id in the header or query, and the request contains an invalid client_id in both the header and query. 401 Invalid client ID or secret.
10 Allows client_id in the header or query, and the request contains a client_id in both the header and query but and the client_id in the header is invalid. 200 OK

The query is used.

11 Allows client_id in the header or query, and the request contains a client_id in both the header and query but and the client_id in the query is invalid. 200 OK

The header is used.

12 Allows client_id in the query or header, and the request does not contain a client_id in either the header or query. In other words, no security requirement although client security is defined in the assembly. The response depends on the setting for the Return V5 responses property on the Compatibility tab of the API definition. For more information, see Configuring compatibility with API Connect v5-compatible APIs.
  • When enabled, 401 Invalid client ID or secret.
  • When disabled, 401 Client ID is missing.