search

golang / oauth2

Go OAuth2
https://golang.org/x/oauth2
BSD 3-Clause "New" or "Revised" License
5.38k stars 990 forks source link

RFC6749 spec violation: Not compatible with public clients #741

Closed arianvp closed 1 month ago

arianvp commented 1 month ago

If you are using a public Oauth Client (that doesn't have credentials) (e.g. when using PKCE) then according to

https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3 the token request must include client_id as a field. This library doesn't do that nor does it expose it as an option.

client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.

However there is no way in this library to set the client_id in a Token Request

This means this library is incompatible with Oauth servers that support public clients.

arianvp commented 1 month ago

I think we can do this by adding an AuthStyleNone to the enum

arianvp commented 1 month ago

This works:

    config := oauth2.Config{
        ClientID: *clientID,
                ClientSecret: "",
        Endpoint: oauth2.Endpoint{
            AuthURL:   serverMeta.AuthorizationEndpoint,
            TokenURL:  serverMeta.TokenEndpoint,
            AuthStyle: oauth2.AuthStyleInParams,
        },
        RedirectURL: redirectURL,
        Scopes:      []string{"openid"},
    }
arianvp commented 1 month ago

Weird. I can not reproduce this anymore...