From: =?UTF-8?q?Manuel=20Dura=CC=81n=20Aguete?= <manuel@aguete.org>
Date: Thu, 25 Feb 2016 10:02:19 +0100
Subject: [PATCH] Implicit Grant doesn't need client secret
As RFC mentions:
> The implicit grant type does not include client authentication, and
relies on the presence of the resource owner and the registration of
the redirection URI.
Client secret is not needed.
diff --git a/src/oauth2.erl b/src/oauth2.erl
index 9faaee5..9eb8d1d 100644
--- a/src/oauth2.erl
+++ b/src/oauth2.erl
@@ -117,13 +117,17 @@ authorize_password(User, Client, Scope, Ctx0) ->
-spec authorize_password(user(), client(), rediruri(), scope(), appctx())
-> {ok, {appctx(), auth()}} | {error, error()}.
authorize_password(User, Client, RedirUri, Scope, Ctx0) ->
- case auth_client(Client, RedirUri, Ctx0) of
- {error, _} -> {error, invalid_client};
- {ok, {Ctx1, C}} ->
- case auth_user(User, Scope, Ctx1) of
+ case ?BACKEND:get_client_identity(Client,Ctx0) of
+ {error, _} ->{error, invalid_client};
+ {ok,{Ctx1,C}} ->
+ case ?BACKEND:verify_redirection_uri(C, RedirUri, Ctx1) of
+ {error, _} -> {error, invalid_client};
+ {ok, Ctx2} ->
+ case auth_user(User, Scope, Ctx2) of
{error, _} = E -> E;
- {ok, {Ctx2, Auth}} -> {ok, {Ctx2, Auth#a{client=C}}}
+ {ok, {Ctx3, Auth}} -> {ok, {Ctx3, Auth#a{client=C}}}
end
+ end
end.
%% @doc Validates a request for an access token from client's credentials.
diff --git a/test/oauth2_tests.erl b/test/oauth2_tests.erl
index 363ba9d..a1c9fb1 100644
--- a/test/oauth2_tests.erl
+++ b/test/oauth2_tests.erl
@@ -111,7 +111,7 @@ authorize_implicit_grant_test_() ->
fun() ->
{ok, {foo_context, Auth}} =
oauth2:authorize_password( {?USER_NAME,?USER_PASSWORD}
- , {?CLIENT_ID,?CLIENT_SECRET}
+ , ?CLIENT_ID
, ?CLIENT_URI
, ?USER_SCOPE
, foo_context),
