Description
Once the backend service app is created, the following misconfigurations are possible/present:
| Setting |
Expected |
Actual |
Response type code |
Should not be available |
Can be enabled |
| Token endpoint auth method |
client_secret_post or private_key_jwt |
Defaults to none |
| Client type |
Confidential (non-editable) |
Can be changed to public |
Token Configuration:
- User-info endpoint settings are exposed — not applicable since there is no end-user context in M2M flows.
- ID Token section contains user-related claims/configs. Ideally, ID tokens should not be applicable for backend service apps at all.
- Access token settings are user-specific (e.g., user attributes, user claims) — for M2M apps these should be app/client-specific instead.
Flow configuration.
- Flow settings are not applicable for backend apps, unless app specific flows are defined
Backend service apps use the Client Credentials grant exclusively — they have no authorization endpoint interaction, and must always be confidential clients.
Steps to Reproduce
Onboard a Backend Service application from the app creation wizard.
Version
v0.34.0
Environment Details (with versions)
No response
Description
Once the backend service app is created, the following misconfigurations are possible/present:
codeclient_secret_postorprivate_key_jwtnoneToken Configuration:
Flow configuration.
Backend service apps use the Client Credentials grant exclusively — they have no authorization endpoint interaction, and must always be confidential clients.
Steps to Reproduce
Onboard a
Backend Serviceapplication from the app creation wizard.Version
v0.34.0
Environment Details (with versions)
No response