Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE: - Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled. - Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
6 years ago · 9faf988c83
1 changed files with 2 additions and 2 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@ -763,8 +763,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	grantType := r.PostFormValue("grant_type")
 	codeVerifier := r.PostFormValue("code_verifier")

-	if grantType == grantTypeAuthorizationCode && codeVerifier != "" && clientSecret == "" {
-		// RFC 7636 (PKCE) if code_verifier is received, use PKCE and allow empty clientSecret
+	if client.Public && grantType == grantTypeAuthorizationCode && codeVerifier != "" && clientSecret == "" {
+		// RFC 7636 (PKCE) if code_verifier is received, use PKCE and allow empty clientSecret, when client is public
 	} else if client.Secret != clientSecret {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return