This oauth2 server implementation is not allowing to store nor treats confidential clients differently from public.
This is a problem, and is also the reason why its not possible to make public only clients that only can use auth flow code grant with PKCE, without fixing it like i did in https://github.com/go-oauth2/oauth2/pull/230. Which basically circumvents this by allowing to set a secret on a client, and at the same time allowing secret-less auth code flow. Without my suggested fix, if you set secret to blank or nil value, you will be able to request a token from the token endpoint with client_credentials grant, without even passing in the secret, which is horrendous
jarlandre
commented
1 year ago
ref https://oauth.net/2/client-types/
This oauth2 server implementation is not allowing to store nor treats confidential clients differently from public.
This is a problem, and is also the reason why its not possible to make public only clients that only can use auth flow code grant with PKCE, without fixing it like i did in https://github.com/go-oauth2/oauth2/pull/230. Which basically circumvents this by allowing to set a secret on a client, and at the same time allowing secret-less auth code flow. Without my suggested fix, if you set secret to blank or nil value, you will be able to request a token from the token endpoint with client_credentials grant, without even passing in the secret, which is horrendous
EDIT: remade the #230 PR into a new PR #234