You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the device authorization codes request does not include the client_secret parameter (aka apiKey).
The OAuth 2.0 Device Grant RFC states [1]:
The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint...
Hence, the method OAuth20Service#createDeviceAuthorizationCodesRequest(String) should not only set the client_id, but also the client_secret here [2].
Imho the line request.addParameter(OAuthConstants.CLIENT_ID, getApiKey());
should be replaced with: api.getClientAuthentication().addClientAuthentication(request, getApiKey(), getApiSecret());
I observed this issue when trying to test device authorization with a confidential Keycloak client - I got a Keycloak response 401 with body: {"error":"unauthorized_client","error_description":"Client secret not provided in request"}
Currently, the device authorization codes request does not include the client_secret parameter (aka apiKey).
The OAuth 2.0 Device Grant RFC states [1]:
Hence, the method OAuth20Service#createDeviceAuthorizationCodesRequest(String) should not only set the client_id, but also the client_secret here [2].
Imho the line
request.addParameter(OAuthConstants.CLIENT_ID, getApiKey());
should be replaced with:
api.getClientAuthentication().addClientAuthentication(request, getApiKey(), getApiSecret());
I observed this issue when trying to test device authorization with a confidential Keycloak client - I got a Keycloak response 401 with body:
{"error":"unauthorized_client","error_description":"Client secret not provided in request"}
[1] https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
[2]
scribejava/scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java
Line 506 in 3a07d71
The text was updated successfully, but these errors were encountered: