-
-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implicit auth cannot be natively used by confidential clients #115
Comments
**each with a different client type and security context **. You can design the client as: class App:
app_id = column()
class Client:
app_id = reference(App)
... In this case, the |
Thanks for the response. That's better than what I had (fixes the other downstream logic depending on client type), but unfortunately I still need to overwrite the authentication handlers to overwrite the |
@night each with a different client type and security context In this case, the client_id and client_secret will be different. |
Unfortunately that's not something that is possible in my upgrade path. In the system I work on every application has one client/secret pair. This is the case on almost every OAuth2 provider I can think of, even Google/Facebook operate this way. I think you have the only library which actually has strict client type handling like this. I suspect if this library gets any traction you will run into others in my predicament as well for this reason. |
for more context, here's an approach I have to solve this locally:
My intent is to have the client authentication scheme dictate the client type, which allows this library to work properly in the mindset that all clients can be public clients, but public clients cannot be confidential clients. It's worth noting that the RFC does mention this use case in one line of the RFC in a section with redirect URLs, implying this is supported behavior:
|
@night I think I finally got what you want: class OAuthClient(Client):
def check_client_type(self, client_type):
if self.client_type == 'confidential':
# confidential client can also support public client type
return True
return self.client_type == client_type You can overwrite this |
@lepture That's actually the first solution I had, but the problem with that is it fixes implicit auth for a confidential client acting as a public client, but it breaks the refresh token grant for confidential clients because of
|
@night you are right. I changed the if condition in refresh token. |
I think this will work. Will followup if there's anything else. Thanks for the quick fixes to all these issues btw. Library is much improved vs. flask-oauthlib |
An important distinction for confidential clients versus public clients is that confidential clients can also be used as public clients (as long as the authorization server supports it). Over at
authlib/authlib/oauth2/rfc6749/authenticate_client.py
Line 104 in 5564d2d
check_client_type
should probably be removed from such flows, instead relying on the request alone to dictate the authentication schemes supported for the flow (already true to an extent withTOKEN_ENDPOINT_AUTH_METHODS
).More info at https://tools.ietf.org/html/rfc6749#section-2.1
The text was updated successfully, but these errors were encountered: