Skip to content

Commit

Permalink
Merge pull request #129 from badgateway/public-client-id-in-body
Browse files Browse the repository at this point in the history
If there's no secret, we should never use Basic auth to encode the client_id.
  • Loading branch information
evert authored Nov 16, 2023
2 parents dc07503 + 538efc6 commit 0562b08
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 1 deletion.
7 changes: 7 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
Changelog
=========

2.2.5 (????-??-??)
------------------

* Fix for #128: If there's no secret, we should never use Basic auth to encode
the `client_id`.


2.2.4 (2023-09-05)
------------------

Expand Down
12 changes: 11 additions & 1 deletion src/client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -296,8 +296,18 @@ export class OAuth2Client {
};

let authMethod = this.settings.authenticationMethod;

if (!this.settings.clientSecret) {
// Basic auth should only be used when there's a client_secret, for
// non-confidential clients we may only have a client_id, which
// always gets added to the body.
authMethod = 'client_secret_post';
}
if (!authMethod) {
authMethod = this.settings.clientSecret ? 'client_secret_basic' : 'client_secret_post';
// If we got here, it means no preference was provided by anything,
// and we have a secret. In this case its preferred to embed
// authentication in the Authorization header.
authMethod = 'client_secret_basic';
}

switch(authMethod) {
Expand Down
32 changes: 32 additions & 0 deletions test/authorization-code.ts
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,38 @@ describe('authorization-code', () => {
});

});
it('should not use Basic Auth if no secret is provided, even if client_secret_basic is set.', async() => {

const server = testServer();

const client = new OAuth2Client({
server: server.url,
tokenEndpoint: '/token',
clientId: 'test-client-id',
authenticationMethod: 'client_secret_basic',
});

const result = await client.authorizationCode.getToken({
code: 'code_000',
redirectUri: 'http://example/redirect',
});

expect(result.accessToken).to.equal('access_token_000');
expect(result.refreshToken).to.equal('refresh_token_000');
expect(result.expiresAt).to.be.lessThanOrEqual(Date.now() + 3600_000);
expect(result.expiresAt).to.be.greaterThanOrEqual(Date.now() + 3500_000);

const request = server.lastRequest();
expect(request.headers.get('Authorization')).to.equal(null);

expect(request.body).to.eql({
client_id: 'test-client-id',
grant_type: 'authorization_code',
code: 'code_000',
redirect_uri: 'http://example/redirect',
});

});

});
});

0 comments on commit 0562b08

Please sign in to comment.