-
-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting client_secret
to an empty string does not comply with standards
#402
Comments
This makes little sense to me. If you don't have a secret issued use the token_endpoint_auth_method client property |
According to your documentation, as described in RFC6749,
|
@panva is correct here, it might be due to This lib is fantastic! 🙏 |
Describe the bug
We are working in a provider which only supports
client_secret_post
orclient_secret_basic
for the token endpoint auth methods, and the authorization code grant which does not use aclient_secret
parameter.As it said in the offical OAuth 2.0 Authorization Framework documentation (https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1), The client MAY omit the parameter if the client secret is an empty string.
But having a look to the code (lib/helpers/client.js), into
authFor
method this is not happens by default, it setclient_secret
parameter mandatory.I mean, if
client_secret
is an empty string it should return an object with justclient_id
and if not leave it as it is now, but that not happens in this code, so I think it does not conform to the standard as I mentioned before.To Reproduce
Set a client with
token_endpoint_auth_method: 'client_secret_basic'
, set theclient_id
and theclient_secret
to an empty string.Some kind of message like this is showed:
Environment:
System:
OS: macOS 11.5.2
CPU: (8) x64 Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz
Memory: 326.37 MB / 16.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 12.13.0 - /usr/local/bin/node
Yarn: 1.19.1 - ~/.yarn/bin/yarn
npm: 6.9.0 - /usr/local/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
Browsers:
Chrome: 95.0.4628.3
Safari: 14.1.2
npmPackages:
next: ^11.1.0 => 11.1.0
next-auth: 4.0.0-beta.2 => 4.0.0-beta.2
react: ^17.0.2 => 17.0.2
The text was updated successfully, but these errors were encountered: