a12n-server

a12n-server copied to clipboard

Pointed out in this ticket: https://github.com/badgateway/oauth2-client/issues/70

authorization_code should support sending client_secret. After we support this we should also ensure that if client_secret is passed to get the token, it should also be passed every time the token is refreshed. This means we need to start tracking if a client_secret was used to obtain the original token.

This feature can pretty much be done in multiple steps:

• [x] Support client_secret with authorization_code.
• [x] Track in the oauth2_token table which grant_type was used to issue the token.
• [x] Track in the oauth2_token if a client_secret was used to issue the token.
• [ ] Enforce that if a client_secret was used to issue a token, it must be specified when refreshing the same token.