Removed need for clientSecret for some grant types #530
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
client_secret
shouldn't be necessary when using thepassword
orrefresh_token
grant types.In the former (in cases where client secrets cannot be stored securely), security is handled on a resource owner level, where users in a (for example) mobile web application can login to an application using their own credentials.
In the latter, the new access tokens are retrieved using special "refresh tokens", which are sent back as a part of the regular OAuth2.0 response body when a client has successfully authenticated with some kind of
grant_type
. Asking the client for a client_secret again is unnecessary in my opinion.To create a bit of context for this PR: I've been using this package (with this proposed change) in a mobile webapplication, where resource owners authenticate once (by simply logging in using their email address and password using the
password
grant) and then just (statelessly) identify themselves using their OAuth2.0 access token. Should the token expire, the client application then simply requests to refresh the token using therefresh_token
grant. The whole setup consists of an front-end webapplication and a back-end http://jsonapi.org server, where the communication is done by XHR (with CORS). In all OAuth-related requests, only theclient_id
is sent back to the server.Thoughts?