Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Device workflow is missing the client_id parameter in token requests #864

Open
ronnybremer opened this issue Jun 9, 2024 · 2 comments
Open

Comments

@ronnybremer
Copy link

According to https://www.rfc-editor.org/rfc/rfc8628#section-3.4 when requesting a token during the device workflow the client_id is required when the client is not able to authenticate to the IDP.

This code shows, that only the device_code and user_code are used in the request:
https://github.com/openid/AppAuth-iOS/blob/c89ed571ae140f8eb1142735e6e23d7bb8c34cb2/Sources/AppAuthTV/OIDTVTokenRequest.m#L160C1-L172C2

Should that be amended to include the client_id as well?

@ronnybremer
Copy link
Author

Additionally, I found the client_secret to be mandatory in the constructors of OIDTVAuthorizationRequest (the ones relevant to the device workflow), however, the RFC doesn't mention client_secret to be used for the authorization endpoint as the workflow is designed for public clients. Should that be optional?

@akm-masuduzzaman
Copy link

I am facing the same issue. Additionally, when I add the client_id and client_secret to the body, I get invalid_client error.

This is for LinkedIn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants