search

exop-group / doorkeeper-device_authorization_grant

OAuth 2.0 Device Authorization Grant extension for Doorkeeper
https://rubygems.org/gems/doorkeeper-device_authorization_grant
MIT License
30 stars 9 forks source link

Missing allowed grant flows validation configuration #14

Open yoda opened 1 year ago

yoda commented 1 year ago

After looking through a few places the available flows validation seems to be missing:

 option :allow_grant_flow_for_client,    default: ->(_grant_flow, _client) { true }

From the client_credentials flow validation:

        validate :client_supports_grant_flow, error: :unauthorized_client
...
        def validate_client_supports_grant_flow
          return if @client.blank?

          Doorkeeper.config.allow_grant_flow_for_client?(
            Doorkeeper::OAuth::CLIENT_CREDENTIALS,
            @client.application,
          )
        end

Which means if you only have client_credentials or authorization_code enabled on a grant_flow on doorkeeper this flow is not honoring the validation. Let me know if I have misunderstood.

https://github.com/doorkeeper-gem/doorkeeper/blob/f02fcb447a0b39c43cae350a600b853a0e69ee60/lib/doorkeeper/oauth/client_credentials/validator.rb#L31 https://github.com/doorkeeper-gem/doorkeeper/blob/f02fcb447a0b39c43cae350a600b853a0e69ee60/lib/doorkeeper/config.rb#L285

irminsul commented 1 year ago

I'll look into this next week.

marco-nicola commented 1 year ago

Hi! Thanks for opening this issue, @yoda.

You are right, the current code is not validating against allow_grant_flow_for_client option. It looks like an accidental omission.

Adding a validation to the two classes handling the main requests should be enough.

A PR will follow shortly. Please feel free to have a look and see if I forgot something.

yoda commented 11 months ago

Poke