Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make ROPG flow to require client auth as stated in the RFC #1420

Merged
merged 1 commit into from
May 29, 2020
Merged

Make ROPG flow to require client auth as stated in the RFC #1420

merged 1 commit into from
May 29, 2020

Conversation

nbulaj
Copy link
Member

@nbulaj nbulaj commented May 29, 2020
edited
Loading

Require client authentication for Resource Owner Password Grant as stated in OAuth RFC

[IMPORTANT] you need to create a new OAuth client (Doorkeeper::Application) if yoo didn't
have it before and use client credentials in HTTP Basic auth if you previously used this grant
flow without client authentication. For migration purposes you could enable
skip_client_authentication_for_password_grant configuration option to true, but such behavior
(as well as configuration option) would be completely removed in a future version of Doorkeeper.
All the users of your provider application now need to include client credentials when they use
this grant flow.

Fixes #1412 (comment)

@nbulaj nbulaj added this to the 5.5 milestone May 29, 2020
@nbulaj nbulaj merged commit a897b42 into master May 29, 2020
@nbulaj nbulaj deleted the make-client-mandatory-for-ropg branch May 29, 2020 17:37
@ghiculescu
Copy link
Contributor

@nbulaj should https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Resource-Owner-Password-Credentials-flow be updated? The current example doesn't mention this at all.

@ghiculescu ghiculescu mentioned this pull request Dec 7, 2020
Merged
@toupeira toupeira mentioned this pull request Mar 5, 2021
Merged
This was referenced Mar 17, 2021
Closed
Closed
@jonatanklosko jonatanklosko mentioned this pull request Feb 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug RFC
Projects
None yet
Milestone
5.5
Development

Successfully merging this pull request may close these issues.

Recent Change in Token Revocation Endpoint Behavior Breaks Revocation of Tokens for Public Client
2 participants
@nbulaj @ghiculescu