Client secret never validated in AuthServer?

[fkarlsson]

I may be missing something obvious here, and if so I apologize. Anyways the conclusion I've come to is that the client secret is never validated in AuthServer::checkAuthorizeParams(). I've secured my API according to the tutorials linked from the readme, and it does not matter which secret I send, I can retrieve an access token either way. Is it supposed to be like that?

Problem as I see it is in the code below, from AuthServer.php:298-299

// Validate client ID and redirect URI
$clientDetails = self::getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);

The second parameter, client secret, is null and therefore never validated.

[alexbilbie]

The client_secret isn't verified at that stage. In the authorisation grant it is verified when the client exchanges an authorisation code for an access token.

https://github.com/lncd/OAuth2/blob/master/src/OAuth2/AuthServer.php#L377 - loads whichever grants have enabled, for example the authorisation code grant and it is verified in each grant's completeFlow() method https://github.com/lncd/OAuth2/blob/master/src/OAuth2/Grant/AuthCode.php#L62

[fkarlsson]

Then where is the problem in my implementation? I use the ruby gem oauth2 to test my setup and no matter which secret I input it works. Do I need to change the grant_type that I send?

Edit: Did not see your edit! Alright, so the problem with my implementation is my getClient function which never checks for the secret. I made this mistake as it was never included in the oauth2-example-auth-server.

Thanks for the help and most of all for a great library!