Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow public clients to authenticate without client_secret #1031
Public vs Private Clients
The original OAuth 2 RFC makes a definition between public & private clients (Section 2.1). To this end, along with modeling industry best practice,
This allows Doorkeeper to behave differently when receiving an authentication request, depending on the identified client and its confidentiality.
This decision maintains security by forcing the presence of a
For backwards compatibility, an
I omitted some important work to keep this PR simple:
Add Application#confidential Add dummy migration for Application#confidential Because Dummy app is now Rails 5.1, the old migrations' ancestor class needed to be explicitly the 4.2 variety. Expose app confidentiality in views & controllers Allow public applications to be found if secret is blank Don't use #client_via_uid fallback on Password strategy Since credentials will only contain UID when a public application is calling, the fallback method of finding by UID alone is dead code. Private apps are not allowed to be identified by UID alone.