According to the RFC, client credential flow do not have to be linked to a user
Dnomyar opened this issue · comments
According to the RFC, client credential flow do not have to be linked to a user. Actually the RFC does not mention the user in the client credential section.
So, I wonder why, in the code, a user must be linked when using this flow (cf code below) ? Is it an error ?
I have seen the bypass in #86. But it's a bypass. Don't you think, it could be a good idea to fix it in the lib.
A solution could be to create an AuthInfo
for client credential flow with and Option
of U
for the user
field ?
class ClientCredentials extends GrantHandler {
override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U])(implicit ctx: ExecutionContext): Future[GrantHandlerResult[U]] = {
val clientCredentialsRequest = new ClientCredentialsRequest(request)
val clientCredential = clientCredentialsRequest.clientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
val scope = clientCredentialsRequest.scope
handler.findUser(clientCredentialsRequest).flatMap { optionalUser =>
val user = optionalUser.getOrElse(throw new InvalidGrant("client_id or client_secret or scope is incorrect"))
val authInfo = AuthInfo(user, Some(clientCredential.clientId), scope, None)
issueAccessToken(handler, authInfo)
}
}
}
PS : thanks for you work
You could create a non-user class like you pointed out the issue.
Or, having option in the user class for user looks not bad.