Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing distinction between public and confidential clients #81

Open
Uzlopak opened this issue Nov 19, 2021 · 1 comment
Open

Missing distinction between public and confidential clients #81

Uzlopak opened this issue Nov 19, 2021 · 1 comment
Labels
enhancement ✨ New feature or request good first issue ✅ Good for newcomers low priority 🐢 This is not high on our priority list

Comments

@Uzlopak
Copy link
Collaborator

Uzlopak commented Nov 19, 2021

Currently there is not distinction between confidential and public clients as it is needed by RFC6749

We should add an attribute "type" for the Client-Object.
In the Authorization Grant Flow Access Token is used, we need not only the client_id in the payload but also the client credentials in the authoriation header if it is a confidential client. see RFC 6749 4.1.3

Currently it is not really based on the Client but on the grant_type and the requireClientAuthentication option. As it lacks distinction theoretically a public client has to send client_secret.

@jorenvandeweyer jorenvandeweyer added enhancement ✨ New feature or request good first issue ✅ Good for newcomers low priority 🐢 This is not high on our priority list labels Aug 26, 2023
@jorenvandeweyer
Copy link
Member

So at the moment we assume all clients are private clients.

To implement this we should

  • keep assuming al clients are private
  • allow to pass a client type
  • public clients should not fail getClientCredentials in token-handler.js

getClientCredentials (request) {
const credentials = auth(request);
const grantType = request.body.grant_type;
const codeVerifier = request.body.code_verifier;
if (credentials) {
return { clientId: credentials.name, clientSecret: credentials.pass };
}
if (request.body.client_id && request.body.client_secret) {
return { clientId: request.body.client_id, clientSecret: request.body.client_secret };
}
if (pkce.isPKCERequest({ grantType, codeVerifier })) {
if(request.body.client_id) {
return { clientId: request.body.client_id };
}
}
if (!this.isClientAuthenticationRequired(grantType)) {
if(request.body.client_id) {
return { clientId: request.body.client_id };
}
}
throw new InvalidClientError('Invalid client: cannot retrieve client credentials');
}

In conclusion, this would require some architectural changes since the validation is done before the client is fetched.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement ✨ New feature or request good first issue ✅ Good for newcomers low priority 🐢 This is not high on our priority list
Projects
None yet
Development

No branches or pull requests

3 participants