oliveiragabriel07
commented
3 years ago I'm using ORY Hydra as my provider with a public client. I tried to use an empty client_secret to workaround the issue explained by @vrseraphin but the provider complains abound sending the Authorization header for a public client:
{"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The OAuth 2.0 Client supports client authentication method 'none', but method 'client_secret_basic' was requested. You must configure the OAuth 2.0 client's 'token_endpoint_auth_method' value to accept 'client_secret_basic'."}I think it's important to support the authorization-code flow with public clients.
The OAuth spec calls out confidential and public client types: [https://tools.ietf.org/html/rfc6749#section-2.1]
For public client types, a client_secret may not exist. Presently the processAuthorizationCodeResponse is throwing an error when client_secret is not defined in config. Are you expecting it to be defined with an empty value for public client types?
Also, at the bottom of [https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/] within the "Client Authentication (required)" section in indicates that some implementations will not support the Authentication header but might expect client_id and client_secret to be within the posted params within the body. Can the library offer some way to be configured to support such servers?