Adds support for confidential clients / clients which have been issued client credentials #36
Conversation
…d client credentials as per rfc6749\#section-3.2.1
|
Just curious what the use case would be for client_id/client_secret. There's not much added security when you use it in a JS app that you deploy to the internet (and thus the secret is revealed to everybody) right? |
|
You are correct in your thinking but this serves a few purposes as disclosed in §3.2.1 of the spec: o Recovering from a compromised client by disabling the client or o Implementing authentication management best practices, which So if I set up my API so it didn't require client credentials and someone started hammering my API, I'd have no way of cutting them of except basically turning off the API. With client credentials I can basically revoke and reissue just the one set and keep all other apps which use the api running. Its also good for identification purposes, fine someone could steal them and abuse them but other than malicious traffic I know what app a request is coming from. Additionally some OAuth libraries require it. In particular Doorkeepers latest release. This seems to be fixed on head. |
Adds support for confidential clients / clients which have been issued client credentials
|
Be aware that this is going to change slightly when I release the big refactoring that introduces strategies (see #20). The functionality is going to stay, it will just be moved into a strategy. |
* ember-cli-build: Remove "StripTestSelectorsTransform" from registry This will be added automatically be the addon itself * Run tests with and without stripping test selectors
Adds support for confidential clients / clients which have been issued client credentials as per rfc6749#section-3.2.1 http://tools.ietf.org/html/rfc6749#section-3.2.1