Giters

nulab / scala-oauth2-provider

OAuth 2.0 server-side implementation written in Scala

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

According to the RFC, client credential flow do not have to be linked to a user

Dnomyar opened this issue · comments

commented

According to the RFC, client credential flow do not have to be linked to a user. Actually the RFC does not mention the user in the client credential section.

So, I wonder why, in the code, a user must be linked when using this flow (cf code below) ? Is it an error ?

I have seen the bypass in #86. But it's a bypass. Don't you think, it could be a good idea to fix it in the lib.

A solution could be to create an AuthInfo for client credential flow with and Option of U for the user field ?

class ClientCredentials extends GrantHandler {

  override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U])(implicit ctx: ExecutionContext): Future[GrantHandlerResult[U]] = {
    val clientCredentialsRequest = new ClientCredentialsRequest(request)
    val clientCredential = clientCredentialsRequest.clientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
    val scope = clientCredentialsRequest.scope

    handler.findUser(clientCredentialsRequest).flatMap { optionalUser =>
      val user = optionalUser.getOrElse(throw new InvalidGrant("client_id or client_secret or scope is incorrect"))
      val authInfo = AuthInfo(user, Some(clientCredential.clientId), scope, None)

      issueAccessToken(handler, authInfo)
    }
  }

}

PS : thanks for you work

commented

You could create a non-user class like you pointed out the issue.
Or, having option in the user class for user looks not bad.