You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This oauth2 server implementation is not allowing to store nor treats confidential clients differently from public.
This is a problem, and is also the reason why its not possible to make public only clients that only can use auth flow code grant with PKCE, without fixing it like i did in #230. Which basically circumvents this by allowing to set a secret on a client, and at the same time allowing secret-less auth code flow. Without my suggested fix, if you set secret to blank or nil value, you will be able to request a token from the token endpoint with client_credentials grant, without even passing in the secret, which is horrendous
ref https://oauth.net/2/client-types/
This oauth2 server implementation is not allowing to store nor treats confidential clients differently from public.
This is a problem, and is also the reason why its not possible to make public only clients that only can use auth flow code grant with PKCE, without fixing it like i did in #230. Which basically circumvents this by allowing to set a secret on a client, and at the same time allowing secret-less auth code flow. Without my suggested fix, if you set secret to blank or nil value, you will be able to request a token from the token endpoint with client_credentials grant, without even passing in the secret, which is horrendous
EDIT: remade the #230 PR into a new PR #234
The text was updated successfully, but these errors were encountered: