From 9faf988c8342bea950d126cf6022b262bd122bb9 Mon Sep 17 00:00:00 2001
From: Bernd Eckstein <Bernd.Eckstein@faro.com>
Date: Thu, 17 Sep 2020 13:47:36 +0200
Subject: [PATCH] Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
---
 server/handlers.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/handlers.go b/server/handlers.go
index 3ad44b2b..49b8b624 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -763,8 +763,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	grantType := r.PostFormValue("grant_type")
 	codeVerifier := r.PostFormValue("code_verifier")
 
-	if grantType == grantTypeAuthorizationCode && codeVerifier != "" && clientSecret == "" {
-		// RFC 7636 (PKCE) if code_verifier is received, use PKCE and allow empty clientSecret
+	if client.Public && grantType == grantTypeAuthorizationCode && codeVerifier != "" && clientSecret == "" {
+		// RFC 7636 (PKCE) if code_verifier is received, use PKCE and allow empty clientSecret, when client is public
 	} else if client.Secret != clientSecret {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return