Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: mark client_id as required in oauth2 token endpoint #421

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: mark client_id as required in oauth2 token endpoint #421

wants to merge 1 commit into from

Conversation

jgresty
Copy link
Member

@jgresty jgresty commented Jan 8, 2025

The token endpoint using client_credentials flow requires a client_id, which was previously not documented. This adds that field as well as makes it clear there are two separate shapes for requests depending on the client_assertion_type.

@jgresty jgresty requested a review from a team as a code owner January 8, 2025 19:48
DarrellMozingo
DarrellMozingo reviewed Jan 8, 2025
View reviewed changes
docs/.gitbook/assets/oauth-api-spec.yaml
Required for `private_key_jwt` auth, the method of client_assertion
being sent. Only "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
is supported.
client_id:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can move this into ClientCredentialsSecret since it's not needed for private_key_jwt.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it not? The field is accessed regardless of assertion type: https://github.com/snyk/oauth-token-server/blob/e3a7a1d1ad45635cea178504ad542b874b210b91/internal/authorizationserver/handler_oauth2_token.go#L52

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, good point. Looks like just for logging purposes (otherwise it uses the client model directly), and I think that was added recently-ish.

Originally it worked without needing it, since the client_id is the sub on the self-signed JWT: https://github.com/snyk/service-account-oauth-demo/blob/main/03_get-access-token.py#L39-L45

docs/.gitbook/assets/oauth-api-spec.yaml Outdated Show resolved Hide resolved
@jgresty
fix: mark client_id as required in oauth2 token endpoint
88898a9 
The token endpoint using client_credentials flow requires a client_id, which
was previously not documented. This adds that field as well as makes it clear
there are two separate shapes for requests depending on the
client_assertion_type.
@jgresty jgresty force-pushed the fix/client-id-required branch from 2e7a46f to 88898a9 Compare January 8, 2025 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarrellMozingo DarrellMozingo DarrellMozingo left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jgresty @DarrellMozingo