From: =?UTF-8?q?Manuel=20Dura=CC=81n=20Aguete?= <manuel@aguete.org> Date: Thu, 25 Feb 2016 10:02:19 +0100 Subject: [PATCH] Implicit Grant doesn't need client secret As RFC mentions: > The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Client secret is not needed. diff --git a/src/oauth2.erl b/src/oauth2.erl index 9faaee5..9eb8d1d 100644 --- a/src/oauth2.erl +++ b/src/oauth2.erl @@ -117,13 +117,17 @@ authorize_password(User, Client, Scope, Ctx0) -> -spec authorize_password(user(), client(), rediruri(), scope(), appctx()) -> {ok, {appctx(), auth()}} | {error, error()}. authorize_password(User, Client, RedirUri, Scope, Ctx0) -> - case auth_client(Client, RedirUri, Ctx0) of - {error, _} -> {error, invalid_client}; - {ok, {Ctx1, C}} -> - case auth_user(User, Scope, Ctx1) of + case ?BACKEND:get_client_identity(Client,Ctx0) of + {error, _} ->{error, invalid_client}; + {ok,{Ctx1,C}} -> + case ?BACKEND:verify_redirection_uri(C, RedirUri, Ctx1) of + {error, _} -> {error, invalid_client}; + {ok, Ctx2} -> + case auth_user(User, Scope, Ctx2) of {error, _} = E -> E; - {ok, {Ctx2, Auth}} -> {ok, {Ctx2, Auth#a{client=C}}} + {ok, {Ctx3, Auth}} -> {ok, {Ctx3, Auth#a{client=C}}} end + end end. %% @doc Validates a request for an access token from client's credentials. diff --git a/test/oauth2_tests.erl b/test/oauth2_tests.erl index 363ba9d..a1c9fb1 100644 --- a/test/oauth2_tests.erl +++ b/test/oauth2_tests.erl @@ -111,7 +111,7 @@ authorize_implicit_grant_test_() -> fun() -> {ok, {foo_context, Auth}} = oauth2:authorize_password( {?USER_NAME,?USER_PASSWORD} - , {?CLIENT_ID,?CLIENT_SECRET} + , ?CLIENT_ID , ?CLIENT_URI , ?USER_SCOPE , foo_context),