Open kbernst30 opened 8 months ago
Just to confirm that this breaks the standard I reviewed the OAuth2 documentation. It says in section 3.2 that: "Parameters sent without a value MUST be treated as if they were omitted from the request." So not sending the parameter, or putting in a null/empty value should be treated the same. Even though it is not completely clear what they mean with 'without a value'.
https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
This is confirmed in section 2.3.1 where it mentions the client_secret parameter MAY be omitted by clients if empty. https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
It appears to me as though the solution implemented in https://github.com/jazzband/django-oauth-toolkit/pull/1276 is not sufficient.
I still need to send a
client_secret
with the request as an empty string to generate a token.For example:
Sending a POST body to the token endpoint with:
Results in an error of
{"error": "invalid_client"}
Whereas a body of:
Works correctly. I should be able to omit the secret entirely (as some frontend OIDC libraries will do) and still have a successful response. Line 173 in
oauth2_validators.py
which should fix the problem:Is still returning
None
if the secret was not sent at all asNone
is the value set in the request object, so the default empty string never gets set.I have verified I am running version 2.3.0 which appears to be the latest release.