Doorkeeper: Do we really need client_secret to get access_token on PKCE flow?

Created on 23 Jul 2020  路  1Comment  路  Source: doorkeeper-gem/doorkeeper

Do we really need client_secret to get access_token on PKCE flow?

If I include -F client_secret="xxxx" in the request it works just fine. The thing is PKCE flow is used by client only apps and it is a replacement for Implicit Flow. Why client_secret is still needed in exchanging code with access_token?

On these posts, client_secret is not needed for getting an access_token:

More detailed question:
https://stackoverflow.com/questions/63057801/do-we-really-need-client-secret-to-get-access-token-on-pkce-flow

Steps to reproduce

  1. In Rails console:
Doorkeeper::Application.create :name => 'Test App', :uid => 'xxxx', :secret => 'xxxx', :redirect_uri => 'urn:ietf:wg:oauth:2.0:oob'
Post.create :title => 'Post 1', :body => 'Post 1 Body'
  1. In command line:
curl -X POST 'http://localhost:3000/oauth/authorize?client_id=xxxx&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=public&code_challenge=testchallenge&code_challenge_method=plain'
  1. In command line:
curl -i http://localhost:3000/oauth/token \
  -F grant_type="authorization_code" \
  -F client_id="xxxx" \
  -F code="8quZ-EAiKKG2EKnQiSYs3xeFRCgsIwcTbaWNdjnpyFg" \
  -F redirect_uri="urn:ietf:wg:oauth:2.0:oob" \
  -F code_verifier="testchallenge"

Expected behavior

{
    "access_token": "nQoorBqLxQH4qFpmlx3mGG6Cd_TfX4d3L3gAGOTwrFs",
    "token_type": "Bearer",
    "expires_in": 7200,
    "scope": "public",
    "created_at": 1595517643
}

Actual behavior

{
    "error": "invalid_client",
    "error_description": "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
}

System configuration

Doorkeeper initializer:

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
  orm :active_record

  resource_owner_authenticator do
    Post.first
  end

  api_only

  base_controller 'ApplicationController'

  default_scopes  :public
end

OS: macOS Catalina 10.15.5 (19F101)
Ruby version: ruby 2.6.0p0 (2018-12-25 revision 66547) [x86_64-darwin18]
Rails version: Rails 6.0.3.2
Doorkeeper version: doorkeeper (5.4.0)

Most helpful comment

It seems like I need to make the Doorkeeper::Application's confidential field to false to be able to get access_token without client_secret.

So it will be:

Doorkeeper::Application.create :name => 'Test App', :uid => 'xxxx', :secret => 'xxxx', :redirect_uri => 'urn:ietf:wg:oauth:2.0:oob', :confidential => false

I found the solution in:
https://github.com/doorkeeper-gem/doorkeeper/blob/master/spec/requests/flows/authorization_code_spec.rb#L348

>All comments

It seems like I need to make the Doorkeeper::Application's confidential field to false to be able to get access_token without client_secret.

So it will be:

Doorkeeper::Application.create :name => 'Test App', :uid => 'xxxx', :secret => 'xxxx', :redirect_uri => 'urn:ietf:wg:oauth:2.0:oob', :confidential => false

I found the solution in:
https://github.com/doorkeeper-gem/doorkeeper/blob/master/spec/requests/flows/authorization_code_spec.rb#L348

Was this page helpful?
0 / 5 - 0 ratings