aioauth-fastapi icon indicating copy to clipboard operation
aioauth-fastapi copied to clipboard

Published 20 hours ago verified publisher icon aliev

Validate client secret for confidential clients

Open shawnz opened this issue 6 months ago • 0 comments

As discussed in this thread https://github.com/aliev/aioauth/discussions/91, the example app currently doesn't validate client secrets. This adds validation for client secrets as well as some tests to ensure the functionality works. The database schema was also changed to allow null client secrets for public non-confidential clients.

Before adding validation:

FAILED tests/test_oauth2.py::test_authorization_code_no_secret - AssertionError: no client secret for a confidential client should be rejected
FAILED tests/test_oauth2.py::test_authorization_code_wrong_secret - AssertionError: wrong client secret for a confidential client should be rejected

Results (28.04s):
       6 passed
       2 failed
         - tests/test_oauth2.py:88 test_authorization_code_no_secret
         - tests/test_oauth2.py:109 test_authorization_code_wrong_secret

After adding validation:

Results (26.11s):
       8 passed

shawnz avatar Aug 04 '24 02:08 shawnz