This PR can be considered as a security enhancement and does 2 changes:
Always validate client:
The auth code grant - Unlike all other grants - calls AbstractGrant::validateClient() only if the client is confidential, this causes issue when the client is not confidential but we want to check if the client handles the requested grant type or not. The ClientRepository::validateClient() implementation can easily check if the client is confidential itself before verifying the client secret as we already do on Laravel Passport. This PR makes the server always call AbstractGrant::validateClient().
The auth code grant and client credential grants unnecessarily call AbstractGrant::getClientEntityOrFail() twice instead of just using the AbstractGrant::validateClient() return value, this PR fixes that.
Pass grant type to ClientRepositoryInterface::getClientEntity():
Currently there is no way to check if the client handles the grant type before proceeding the request, e.g. We don't want to make auth code on "auth code grant" or make device code on "device code auth" grant or response with the access token on "implicit token" grant if the specified client doesn't handle the grant type. This PR makes this possible to avoid handling the requested grant type if the specified client doesn't supports that.
This PR can be considered as a security enhancement and does 2 changes:
AbstractGrant::validateClient()only if the client is confidential, this causes issue when the client is not confidential but we want to check if the client handles the requested grant type or not. TheClientRepository::validateClient()implementation can easily check if the client is confidential itself before verifying the client secret as we already do on Laravel Passport. This PR makes the server always callAbstractGrant::validateClient().AbstractGrant::getClientEntityOrFail()twice instead of just using theAbstractGrant::validateClient()return value, this PR fixes that.ClientRepositoryInterface::getClientEntity():