-
Notifications
You must be signed in to change notification settings - Fork 996
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No authentication sent with OAuth2 device authorization request #685
Comments
Stumbled on the very same issue today and it took use hours to trace the pb to the Can somebody enlighten me as to why it's not included? Thanks in advance |
nsklikas
added a commit
to nsklikas/oauth2
that referenced
this issue
Nov 27, 2024
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1, the device auth request must include client authentication. Fixes golang#685
nsklikas
added a commit
to nsklikas/oauth2
that referenced
this issue
Nov 27, 2024
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1, the device auth request must include client authentication. Fixes golang#685
nsklikas
added a commit
to nsklikas/oauth2
that referenced
this issue
Nov 27, 2024
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1, the device auth request must include client authentication. Fixes golang#685
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a client is configured with a client secret, i.e. it's a confidential client, this secret is not sent with the device authorization request (the very first request where you retrieve the
DeviceAuthResponse
). RFC-8628 states that:In the
DeviceAuth
(deviceauth.go:82
) method, theclient_id
is always added as a query parameter and the secret is not used. This method should use the same construction as used innewTokenRequest
intoken.go:183
.The text was updated successfully, but these errors were encountered: