Do we really need client_secret to get access_token on PKCE flow?
If I include -F client_secret="xxxx" in the request it works just fine. The thing is PKCE flow is used by client only apps and it is a replacement for Implicit Flow. Why client_secret is still needed in exchanging code with access_token?
On these posts, client_secret is not needed for getting an access_token:
More detailed question:
https://stackoverflow.com/questions/63057801/do-we-really-need-client-secret-to-get-access-token-on-pkce-flow
Doorkeeper::Application.create :name => 'Test App', :uid => 'xxxx', :secret => 'xxxx', :redirect_uri => 'urn:ietf:wg:oauth:2.0:oob'
Post.create :title => 'Post 1', :body => 'Post 1 Body'
curl -X POST 'http://localhost:3000/oauth/authorize?client_id=xxxx&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=public&code_challenge=testchallenge&code_challenge_method=plain'
curl -i http://localhost:3000/oauth/token \
-F grant_type="authorization_code" \
-F client_id="xxxx" \
-F code="8quZ-EAiKKG2EKnQiSYs3xeFRCgsIwcTbaWNdjnpyFg" \
-F redirect_uri="urn:ietf:wg:oauth:2.0:oob" \
-F code_verifier="testchallenge"
{
"access_token": "nQoorBqLxQH4qFpmlx3mGG6Cd_TfX4d3L3gAGOTwrFs",
"token_type": "Bearer",
"expires_in": 7200,
"scope": "public",
"created_at": 1595517643
}
{
"error": "invalid_client",
"error_description": "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
}
Doorkeeper initializer:
# config/initializers/doorkeeper.rb
Doorkeeper.configure do
orm :active_record
resource_owner_authenticator do
Post.first
end
api_only
base_controller 'ApplicationController'
default_scopes :public
end
OS: macOS Catalina 10.15.5 (19F101)
Ruby version: ruby 2.6.0p0 (2018-12-25 revision 66547) [x86_64-darwin18]
Rails version: Rails 6.0.3.2
Doorkeeper version: doorkeeper (5.4.0)
It seems like I need to make the Doorkeeper::Application's confidential field to false to be able to get access_token without client_secret.
So it will be:
Doorkeeper::Application.create :name => 'Test App', :uid => 'xxxx', :secret => 'xxxx', :redirect_uri => 'urn:ietf:wg:oauth:2.0:oob', :confidential => false
I found the solution in:
https://github.com/doorkeeper-gem/doorkeeper/blob/master/spec/requests/flows/authorization_code_spec.rb#L348
Most helpful comment
It seems like I need to make the
Doorkeeper::Application's confidential field tofalseto be able to getaccess_tokenwithoutclient_secret.So it will be:
I found the solution in:
https://github.com/doorkeeper-gem/doorkeeper/blob/master/spec/requests/flows/authorization_code_spec.rb#L348