Client ID behavior in security requirement processing
Security requirement processing checks for the client_id
in defined
locations. When a client_id
is found in more than one location, the request is
rejected. This behavior is to comply with RFC 6749 and to protect against threats where an attacker
attempts to glean ID validity and API security requirements by passing a client_id
in multiple locations.
The following table explains the response code that is based on the security requirement and the
locations of more than one client_id
in a request.
Case | Security requirement definition | Response code |
---|---|---|
1 | Allow client_id in the query, and the request contains more than one
client_id in the query. |
401 Invalid client ID or secret. |
2 | Allow client_id in the header, and the request contains more than one
client_id in the header. |
401 Invalid client ID or secret. |
3 | Allow client_id in the header, and the request contains one or more
client_id in the query and one client_id in the header. |
200 OK Only the header is checked. |
4 | Allow client_id in the query, and the request contains one or more
client_id in the header and one client_id in the query. |
200 OK Only the query is checked. |
5 | Allow client_id in the header or the query, and the request contains one or
more client_id in both the header and query. |
401 Invalid client ID or secret. |
6 | Allow client_id in the query, and the request contains a valid
client_id in the header an invalid client_id in the query. |
401 Invalid client ID or secret. |
7 | Allow client_id in the header, and the request contains an invalid
client_id in the header a valid client_id in the query. |
401 Invalid client ID or secret. |
8 | Allow client_id in the header or query, and the request contains a valid
client_id in both the header and query. |
403 Multiple client IDs. |
9 | Allow client_id in the header or query, and the request contains an invalid
client_id in both the header and query. |
401 Invalid client ID or secret. |
10 | Allows client_id in the header or query, and the request contains a
client_id in both the header and query but and the client_id in
the header is invalid. |
200 OK The query is used. |
11 | Allows client_id in the header or query, and the request contains a
client_id in both the header and query but and the client_id in
the query is invalid. |
200 OK The header is used. |
12 | Allows client_id in the query or header, and the request does not contain a
client_id in either the header or query. In other words, no security requirement
although client security is defined in the assembly. |
The response depends on the setting for the Return V5 responses
property on the Compatibility tab of the API definition. For more
information, see Configuring compatibility with API Connect v5-compatible APIs.
|