Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RefreshTokenGrant requires client_secret also for non-confidential clients #1369

Open
PMawesome opened this issue Aug 26, 2023 · 4 comments · May be fixed by #1420
Open

RefreshTokenGrant requires client_secret also for non-confidential clients #1369

PMawesome opened this issue Aug 26, 2023 · 4 comments · May be fixed by #1420

Comments

@PMawesome
Copy link

RefreshTokenGrant::respondToAccessTokenRequest requires a client_secret, otherwise it will throw an exception (OAuthServerException::invalidClient). This does not make sense for non-confidential clients, as they are not able to send the client_secret.
@SherinBloemendaal
Copy link

Did you include the client_secret in the request payload? When it is not sent, it defaults to null, which causes the check to pass (referenced in League\OAuth2\Server\Grant\AbstractGrant at line 265).

@Sephster
Copy link
Member

Could you provide details about where the exception is being thrown from and we can check this. It should be noted that most implementations don't allow public clients to use the Refresh Token grant for enhanced security.

We explicitly skip client validation if the client if confidential for the auth code grant but don't do a similar check for the refresh token grant so I think you are correct in your assertion.

I'm unsure if we should support this though. Any further information about where the error is being thrown etc would be appreciated. Thank you

@meienberger
Copy link

Hello, I'm currently facing a similar challenge in our implementation. We use the Auth code grant to authenticate our micro-frontend application and we want to avoid re-doing a complete authorization flow each time our token reaches it's expiration. As per the specificatons it states that issuing a refresh token is at the discretion of the authorization server and in fact, a refresh token is issued when we request a token through the Auth Code grant flow but we cannot use it because of the limitation mentioned above. Is there a way for us to use this refresh token without a client secret?

Thanks for your time

@hafezdivandari hafezdivandari linked a pull request Aug 29, 2024 that will close this issue
Open
@hafezdivandari
Copy link

You may check PR #1420

The example given on the OAuth2ServerExamples\Repositories\ClientRepository::validateClient method is wrong, you must validate the client secret only when the client is confidential:

-if (password_verify($clientSecret, $clients[$clientIdentifier]['secret']) === false) {
+if ($clients[$clientIdentifier]['is_confidential'] === true &&
+    password_verify($clientSecret, $clients[$clientIdentifier]['secret']) === false) {
    return false;
}

All grant types can be public (non-confidential) except "client credentials" grant, so ouath2-server doesn't force client_secret to be present on any request (except "client credentials" grant) as expected.

Long story short, the oauth2-server doesn't expect client_secret to be present when refreshing the token, but you are returning false on ClientRepository::validateClient() method when the client is non-confidential!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Always validate the client and determine if it handles the grant type hafezdivandari/oauth2-server
5 participants
@Sephster @SherinBloemendaal @PMawesome @meienberger @hafezdivandari