Support Public Clients for Password and Refresh Token Grant #1073
Labels
Milestone
Comments
|
Under the current implementation, we can't support public clients for the password grant or refresh token because we always check client credentials. We need to add a same is confidential check to these grants that we have for the auth code grant. This would be a BC break so won't be implemented until version 9. |
|
Quick workaround class PublicClientPasswordGrant extends PasswordGrant
{
protected function getClientCredentials(ServerRequestInterface $request): array
{
return ['', ''];
}
}
class PublicClientRefreshTokenGrant extends RefreshTokenGrant
{
protected function getClientCredentials(ServerRequestInterface $request): array
{
return ['', ''];
}
}
class PublicClientRepository implements ClientRepositoryInterface
{
public function getClientEntity($clientIdentifier)
{
$client = new ClientEntity();
$client->setIdentifier('public-client');
$client->setName('Public Client');
$client->setRedirectUri('https://example.com');
return $client;
}
public function validateClient($clientIdentifier, $clientSecret, $grantType): bool
{
return true;
}
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Something that was confusing to me about this is the
AuthCodeGrantonly callsvalidateCredentialsfor private clients which made it seem like you no longer needed to check if the client was confidential before attempting to verify the secret.However the refresh token grant and password grant both are supposed to support public clients according to the OAuth specification and do not check
Client::isConfidentialbefore callingvalidateClient.Wouldn't that mean the
isConfidentialcheck in theAuthCodeGrantis unnecessary as you will need to check yourself invalidateClientin order to support the other grant types?Originally posted by @matt-allan in #1034 (comment)
The text was updated successfully, but these errors were encountered: