node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard

Published 20 hours ago • verified publisher icon node-oauth

Missing distinction between public and confidential clients

Open Uzlopak opened this issue 4 years ago • 1 comments

Currently there is not distinction between confidential and public clients as it is needed by RFC6749

We should add an attribute "type" for the Client-Object. In the Authorization Grant Flow Access Token is used, we need not only the client_id in the payload but also the client credentials in the authoriation header if it is a confidential client. see RFC 6749 4.1.3

Currently it is not really based on the Client but on the grant_type and the requireClientAuthentication option. As it lacks distinction theoretically a public client has to send client_secret.

Uzlopak avatar Nov 19 '21 18:11 Uzlopak

So at the moment we assume all clients are private clients.

To implement this we should

  • keep assuming al clients are private
  • allow to pass a client type
  • public clients should not fail getClientCredentials in token-handler.js

https://github.com/node-oauth/node-oauth2-server/blob/aaf28b4c5479d7f406046d8e8da2fc505c3e3326/lib/handlers/token-handler.js#L173-L199

In conclusion, this would require some architectural changes since the validation is done before the client is fetched.

jorenvandeweyer avatar Aug 26 '23 12:08 jorenvandeweyer