Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Public Clients for Password and Refresh Token Grant #1073

Open
Sephster opened this issue Nov 26, 2019 · 2 comments · May be fixed by #1420
Open

Support Public Clients for Password and Refresh Token Grant #1073

Sephster opened this issue Nov 26, 2019 · 2 comments · May be fixed by #1420
Labels
Future Version
Milestone
9.00

Comments

@Sephster
Copy link
Member

Something that was confusing to me about this is the AuthCodeGrant only calls validateCredentials for private clients which made it seem like you no longer needed to check if the client was confidential before attempting to verify the secret.

However the refresh token grant and password grant both are supposed to support public clients according to the OAuth specification and do not check Client::isConfidential before calling validateClient.

Wouldn't that mean the isConfidential check in the AuthCodeGrant is unnecessary as you will need to check yourself in validateClient in order to support the other grant types?

Originally posted by @matt-allan in #1034 (comment)
@Sephster
Copy link
Member Author

Sephster commented Nov 26, 2019
edited
Loading

Under the current implementation, we can't support public clients for the password grant or refresh token because we always check client credentials. We need to add a same is confidential check to these grants that we have for the auth code grant.

This would be a BC break so won't be implemented until version 9.

@Sephster Sephster added this to the 9.00 milestone Nov 26, 2019
@Sephster Sephster mentioned this issue Nov 26, 2019
Closed
bobdercole added a commit to tenlegs/oauth2-server that referenced this issue Nov 25, 2020
@bobdercole
Made refresh token grant work with public clients until
7ab3f7a 
thephpleague#1073 is addressed.
@eugene-borovov
Copy link
Contributor

Quick workaround

class PublicClientPasswordGrant extends PasswordGrant
{
    protected function getClientCredentials(ServerRequestInterface $request): array
    {
        return ['', ''];
    }
}

class PublicClientRefreshTokenGrant extends RefreshTokenGrant
{
    protected function getClientCredentials(ServerRequestInterface $request): array
    {
        return ['', ''];
    }
}

class PublicClientRepository implements ClientRepositoryInterface
{
    public function getClientEntity($clientIdentifier)
    {
        $client = new ClientEntity();

        $client->setIdentifier('public-client');
        $client->setName('Public Client');
        $client->setRedirectUri('https://example.com');

        return $client;
    }

    public function validateClient($clientIdentifier, $clientSecret, $grantType): bool
    {
        return true;
    }
}

@hafezdivandari hafezdivandari linked a pull request Aug 24, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Future Version
Projects
None yet
Milestone
9.00
2 participants
@eugene-borovov @Sephster