Missing distinction between public and confidential clients

[Uzlopak]

Currently there is not distinction between confidential and public clients as it is needed by RFC6749

We should add an attribute "type" for the Client-Object.
In the Authorization Grant Flow Access Token is used, we need not only the client_id in the payload but also the client credentials in the authoriation header if it is a confidential client. see RFC 6749 4.1.3

Currently it is not really based on the Client but on the grant_type and the requireClientAuthentication option. As it lacks distinction theoretically a public client has to send client_secret.

[jorenvandeweyer]

So at the moment we assume all clients are private clients.

To implement this we should

• keep assuming al clients are private
• allow to pass a client type
• public clients should not fail getClientCredentials in token-handler.js

node-oauth2-server/lib/handlers/token-handler.js

Lines 173 to 199 in aaf28b4

	getClientCredentials (request) {
	const credentials = auth(request);
	const grantType = request.body.grant_type;
	const codeVerifier = request.body.code_verifier;
	if (credentials) {
	return { clientId: credentials.name, clientSecret: credentials.pass };
	}
	if (request.body.client_id && request.body.client_secret) {
	return { clientId: request.body.client_id, clientSecret: request.body.client_secret };
	}
	if (pkce.isPKCERequest({ grantType, codeVerifier })) {
	if(request.body.client_id) {
	return { clientId: request.body.client_id };
	}
	}
	if (!this.isClientAuthenticationRequired(grantType)) {
	if(request.body.client_id) {
	return { clientId: request.body.client_id };
	}
	}
	throw new InvalidClientError('Invalid client: cannot retrieve client credentials');
	}

In conclusion, this would require some architectural changes since the validation is done before the client is fetched.