-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supporting "Public" OAuth Client registrations with Authorization Code grant flow #95
Comments
I'm using ORY Hydra as my provider with a public client. I tried to use an empty client_secret to workaround the issue explained by @vrseraphin but the provider complains abound sending the
I think it's important to support the authorization-code flow with public clients. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The OAuth spec calls out confidential and public client types:
[https://tools.ietf.org/html/rfc6749#section-2.1]
For public client types, a client_secret may not exist. Presently the processAuthorizationCodeResponse is throwing an error when client_secret is not defined in config. Are you expecting it to be defined with an empty value for public client types?
Also, at the bottom of [https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/] within the "Client Authentication (required)" section in indicates that some implementations will not support the Authentication header but might expect client_id and client_secret to be within the posted params within the body. Can the library offer some way to be configured to support such servers?
The text was updated successfully, but these errors were encountered: