nebular
nebular copied to clipboard
akveo
OpenIddict grant_type password doesn't require client_secret
Issue type
- [X] feature request
- [ ] bug report
Issue description
Current behavior: When requesting a token from from /connect/token using NbOAuth2ClientAuthMethod.REQUEST_BODY in payload it sends: username, password, scope?,client_id and client secret I get this response: The 'client_secret' parameter is not valid for this client application. Expected behavior: I suggest adding a new NbOAuth2ClientAuthMethod which will allow us to get the access_token without sending client_secret because right now if I don't include the client_secret in my configuration I get this error in browser's console: "For request body client authentication method, please provide both clientId & clientSecret"
Steps to reproduce: Use NbOAuth2AuthStrategy and openIddict in the backend and try to get the token from /connect/token
Related code:
protected addCredentialsToParams(params: any): any {
if (this.clientAuthMethod === NbOAuth2ClientAuthMethod.REQUEST_BODY) {
///this line in oauth-strategy.ts checks for clientSecret
if (this.getOption('clientId') && this.getOption('clientSecret')) {
return {
...params,
client_id: this.getOption('clientId'),
client_secret: this.getOption('clientSecret'),
};
} else {
throw Error('For request body client authentication method, please provide both clientId & clientSecret.');
}
}
return params;
}
Suggestion:
protected addCredentialsToParamsOpenIddict(params: any): any {
if (this.clientAuthMethod === NbOAuth2ClientAuthMethod.REQUEST_BODY_OPENIDDICT) {
if (this.getOption('clientId')) {
return {
...params,
client_id: this.getOption('clientId')
};
} else {
throw Error('For request body client authentication method, please provide clientId');
}
}
return params;
}```
**Angular, Nebular**
Abp 6, Angular 14, nebular 10
