Don't omit client_secret when using PKCE

(Disclaimer: I am not an OAuth expert) PKCE does not preclude transmitting `client_secret` - at least Google OAuth does *not* work without it and explicity complains about it missing. This is also consistent with their documentation ([1]). (As far as I understand, PKCE is really orthogonal to client authenticiation, it is only meant to protect the Authorization Code.) This is also consistent with my understanding of RFC 6749, "4.1.3. Access Token Request" ([2], emphasis added by me): > If the client type is confidential *OR* the client was issued client > credentials (or assigned other authentication requirements), the > client MUST authenticate with the authorization server as described > in Section 3.2.1. [1] https://developers.google.com/identity/protocols/oauth2/native-app, "Step 5: Exchange authorization code for refresh and access tokens" [2] https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
qgis · Dec 19, 2024 · 5c78a58 · 5c78a58
1 parent aecd1c5
commit 5c78a58
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/src/o2.cpp b/src/o2.cpp
@@ -336,9 +336,7 @@ void O2::onVerificationReceived(const QMap<QString, QString> response) {
         QMap<QString, QString> parameters;
         parameters.insert(O2_OAUTH2_GRANT_TYPE_CODE, code());
         parameters.insert(O2_OAUTH2_CLIENT_ID, clientId_);
-        //No client secret with PKCE
-        if ( grantFlow_ != GrantFlowPkce )
-        {
+        if (!clientSecret_.isEmpty()) {
             parameters.insert(O2_OAUTH2_CLIENT_SECRET, clientSecret_);
         }
         parameters.insert(O2_OAUTH2_REDIRECT_URI, redirectUri_);