You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I may be missing something obvious here, and if so I apologize. Anyways the conclusion I've come to is that the client secret is never validated in AuthServer::checkAuthorizeParams(). I've secured my API according to the tutorials linked from the readme, and it does not matter which secret I send, I can retrieve an access token either way. Is it supposed to be like that?
Problem as I see it is in the code below, from AuthServer.php:298-299
// Validate client ID and redirect URI$clientDetails = self::getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);
The second parameter, client secret, is null and therefore never validated.
The text was updated successfully, but these errors were encountered:
The client_secret isn't verified at that stage. In the authorisation grant it is verified when the client exchanges an authorisation code for an access token.
Then where is the problem in my implementation? I use the ruby gem oauth2 to test my setup and no matter which secret I input it works. Do I need to change the grant_type that I send?
Edit: Did not see your edit! Alright, so the problem with my implementation is my getClient function which never checks for the secret. I made this mistake as it was never included in the oauth2-example-auth-server.
Thanks for the help and most of all for a great library!
I may be missing something obvious here, and if so I apologize. Anyways the conclusion I've come to is that the client secret is never validated in AuthServer::checkAuthorizeParams(). I've secured my API according to the tutorials linked from the readme, and it does not matter which secret I send, I can retrieve an access token either way. Is it supposed to be like that?
Problem as I see it is in the code below, from AuthServer.php:298-299
The second parameter, client secret, is null and therefore never validated.
The text was updated successfully, but these errors were encountered: