Resource Owner grant type requiring client_id and client_secret
jonmunm opened this issue · 5 comments
Why the password grant_type must be provided with client credentials (in this implementation)???. The oauth2 resource owner spec just needs
{
"grant_type" : "password",
"username" : "some_user_name",
"password" : "some_password"
}
This implementation also requires the client_id and client_secret to be sent with this request to be successfull.
I just want to know if I'm missing something
Please refer also to http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps
I want to grant access from my SPA to the protected resource. Exposing client credentials in the browser source code is potentially dangerous.
Also, the original library at https://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/ doesn't force client credential in resource owner grant type
Am not sure either what was the purpose of that. I will let @filsh answer that. That being said you have another option. Create dummy client and secret and then pass them with request.
Otherwise I have created a fork of this library that I maintain. You can send PR or File a bug
If I'm not wrong, createa dummy client and secret is not an option, since my SPA cannot keep those credentials with it, and if somebody watches it he'll be able to get a token using those credentials using the client_credential grant_type
Reading at the original library (http://bshaffer.github.io/oauth2-server-php-docs/grant-types/user-credentials/), I figured out that they have de concept of "public client" (that is, a client with no client_secret).
Using a public client, I can ommit the client_secret from the request. Anyway, I read again the resource owner spec, and no mention of that appears on it.
Bye
If I'm not wrong, createa dummy client and secret is not an option, since my SPA cannot keep those credentials with it, and if somebody watches it he'll be able to get a token using those credentials using the client_credential grant_type
Ignore that one. I did not thought of that
Reading at the original library (http://bshaffer.github.io/oauth2-server-php-docs/grant-types/user-credentials/), I figured out that they have de concept of "public client" (that is, a client with no client_secret).
I believe the reason is they want to recognize the client. That is logical AFAIK, as you don't want to authorize unknown clients. I think the best way would be banning Public clients from auth'ing using client_credential grant_type. Otherwise you have same issue as my dummy app "nonsense"
Efectively, a public client cannot be authorize with client_credentials grant_type (tested), so no securiry flaw should araise around this.
Thanks
Glad you solved it :)