Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No authentication sent with OAuth2 device authorization request #685

Open
papegaaij opened this issue Nov 22, 2023 · 1 comment · May be fixed by #757
Open

No authentication sent with OAuth2 device authorization request #685

papegaaij opened this issue Nov 22, 2023 · 1 comment · May be fixed by #757

Comments

@papegaaij
Copy link

papegaaij commented Nov 22, 2023
edited
Loading

When a client is configured with a client secret, i.e. it's a confidential client, this secret is not sent with the device authorization request (the very first request where you retrieve the DeviceAuthResponse). RFC-8628 states that:

The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves.

In the DeviceAuth (deviceauth.go:82) method, the client_id is always added as a query parameter and the secret is not used. This method should use the same construction as used in newTokenRequest in token.go:183.
@testinfected
Copy link

testinfected commented May 30, 2024
edited
Loading

Stumbled on the very same issue today and it took use hours to trace the pb to the client_secret not included in the request. I had to use an AuthOption, i.e. oauth2.SetAuthURLParam("client_secret", secret) to force its inclusion.

Can somebody enlighten me as to why it's not included?

Thanks in advance

@adombeck adombeck mentioned this issue Nov 26, 2024
Open
nsklikas added a commit to nsklikas/oauth2 that referenced this issue Nov 27, 2024
@nsklikas
fix: use client authn on device auth request
bf14dad 
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1,
the device auth request must include client authentication.

Fixes golang#685
nsklikas added a commit to nsklikas/oauth2 that referenced this issue Nov 27, 2024
@nsklikas
fix: use client authn on device auth request
1549187 
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1,
the device auth request must include client authentication.

Fixes golang#685
@nsklikas nsklikas linked a pull request Nov 27, 2024 that will close this issue
Open
nsklikas added a commit to nsklikas/oauth2 that referenced this issue Nov 27, 2024
@nsklikas
oauth2: use client authn on device auth request
dcc463a 
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1,
the device auth request must include client authentication.

Fixes golang#685
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use client authn on device auth request nsklikas/oauth2
2 participants
@testinfected @papegaaij