FOSOAuthServerBundle icon indicating copy to clipboard operation
FOSOAuthServerBundle copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

Client secret should be nullable

Open bburnichon opened this issue 11 years ago • 2 comments

From the code, Client::checkSecret($secret) compares given secret to internal secret when set.

To authorize identification from clients without access to secret (for example: javascript or mobile), the checkSecret should succeed, so $this->secret set to null. Mapping does not allow this.

bburnichon avatar Nov 03 '14 12:11 bburnichon

Duplicate of #266

Spomky avatar Nov 03 '14 12:11 Spomky

Mapping allows an empty string, though.

For the record, I solved the very same problem by:

  • setting the secret to an empty string for non-confidential clients (javascript or mobile apps);
  • extending the Client class and overriding the checkSecret method like so:
class MyClient extends \FOS\OAuthServerBundle\Entity\Client
{
    public function checkSecret($secret)
    {
        // secret can be omitted for public (non-confidential) clients
        if ('' === $this->secret && null === $secret) {
            return true;
        }

        return parent::checkSecret($secret);
    }
}

nclavaud avatar Mar 13 '19 14:03 nclavaud