Not actually required as per section 4.1.3 of the RFC and if done bre… #151
Conversation
|
Sorry it seems my IDE ran go-fmt over this. Would you like me to resubmit? |
|
Thanks, please resubmit it. |
|
Done please see: #152 |
|
Wait.
With this PR client authenticating is not required any more. I think it is unsafe for multiple client scenario. SPA project should handle token process on server side as well. |
Looking at the code there is an implicit code flow. Perhaps I'm not using it correctly. -- Either-way I don't think that was covered to rfc7523 where you could cryptographically verify the client involvement. Reading the whole spec again rfc6749 it seems that secret is really only required for user / password authentication and it doesn't seem to make any strong recommendations on how to use it it's really unclear TBH. My best guesses from what I can read is that the client_secret is used for password authentication (for some reason..) and further API calls to the authentication server which aren't part of the specification basically for the effect of making it clear to the other server(s) if the call is coming from the client or the user agent. I'm available for a chat if you want to clarify what's happening with me, but as far as I can understand I'm after an implicit process for SPAs I think this code should be moved to the switch statement further down at least, to take into account the Grant Type being used. However it's still unclear to me if that's actually to spec. |
4 participants
…aks SPA / Jam Stack apps.
https://tools.ietf.org/html/rfc6749#section-4.1.3
Basically client_secret isn't required and if required for a SPA / Single page application it ends up revealing the secret which would allow clients to generate any arbitrary token themselves.