Description
When a client is configured with a client secret, i.e. it's a confidential client, this secret is not sent with the device authorization request (the very first request where you retrieve the DeviceAuthResponse). RFC-8628 states that:
The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves.
In the DeviceAuth (deviceauth.go:82) method, the client_id is always added as a query parameter and the secret is not used. This method should use the same construction as used in newTokenRequest in token.go:183.
Metadata
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Participants
Activity
testinfected commentedon May 30, 2024
Stumbled on the very same issue today and it took use hours to trace the pb to the
client_secretnot included in the request. I had to use anAuthOption, i.e.oauth2.SetAuthURLParam("client_secret", secret)to force its inclusion.Can somebody enlighten me as to why it's not included?
Thanks in advance
fix: use client authn on device auth request
fix: use client authn on device auth request
oauth2: use client authn on device auth request