Passing clientSecret when initializing OAuth2 to be more compatible with RFC #2
Conversation
…ith Oauth2 RFC Section 2.3 (if the authorization server requires authentication, pass clientId and clientSecret in basic auth or in body)
|
Looks simple enough. Could you provide some error checking and/or case handling for the appropriate behavior when the user doesn't send in a client secret? (I haven't looked at the RFC to know which is appropriate here.) |
|
This is required to authenticate confidential clients per RFC 6749. Looks good to me to merge as it is, since not passing the parameter would result in the situation we're in right now. Anything else required to have this merged? I'm right now relying on jnorberg's fork directly. Would love to get back to your NPM. Thanks so much! |
|
I tested the querystring behavio with undefined (as opposed to '') and I'm satisfied that the behavior will be the same. Merged, and I'll tag shortly. |
|
I see that the package is tagged and published, but code is still reflecting older version. Raised #5. Thanks! |
Oauth2 RFC Section 2.3 (if the authorization server requires authentication, pass clientId and clientSecret in basic auth or in body)