oauth2-server
oauth2-server copied to clipboard
thephpleague
Support Public Clients for Password and Refresh Token Grant
Something that was confusing to me about this is the AuthCodeGrant only calls validateCredentials for private clients which made it seem like you no longer needed to check if the client was confidential before attempting to verify the secret.
However the refresh token grant and password grant both are supposed to support public clients according to the OAuth specification and do not check Client::isConfidential before calling validateClient.
Wouldn't that mean the isConfidential check in the AuthCodeGrant is unnecessary as you will need to check yourself in validateClient in order to support the other grant types?
Originally posted by @matt-allan in https://github.com/thephpleague/oauth2-server/issues/1034#issuecomment-513974013
Under the current implementation, we can't support public clients for the password grant or refresh token because we always check client credentials. We need to add a same is confidential check to these grants that we have for the auth code grant.
This would be a BC break so won't be implemented until version 9.
Quick workaround
class PublicClientPasswordGrant extends PasswordGrant
{
protected function getClientCredentials(ServerRequestInterface $request): array
{
return ['', ''];
}
}
class PublicClientRefreshTokenGrant extends RefreshTokenGrant
{
protected function getClientCredentials(ServerRequestInterface $request): array
{
return ['', ''];
}
}
class PublicClientRepository implements ClientRepositoryInterface
{
public function getClientEntity($clientIdentifier)
{
$client = new ClientEntity();
$client->setIdentifier('public-client');
$client->setName('Public Client');
$client->setRedirectUri('https://example.com');
return $client;
}
public function validateClient($clientIdentifier, $clientSecret, $grantType): bool
{
return true;
}
}
