Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add client_id and client_secret to OAuth2 config

See original GitHub issue

It seems increasingly difficult to reopen makeRequest in ember-cli. I realize that client_secret is mostly redundant in a browser application, but some OAuth2 servers expect it regardless of whether the client is public or confidential.

Would it be possible to just add these specific items to the payload (or set the appropriate header) if they are present in the user’s config?

Issue Analytics

  • State:closed
  • Created 9 years ago
  • Comments:25 (8 by maintainers)

github_iconTop GitHub Comments

2reactions
rotatingJazzcommented, Aug 16, 2014

So, I 've resolved the issue why the authenticator is not sending the form data to the api.

makerequest 's signature is (url, data), NOT (data) as mentioned in this thread.

Source: node_modules/ember-cli-simple-auth-oauth2/vendor-addon/ember-simple-auth/simple-auth-oauth2.amd.js, line 244.

1reaction
dustinfarriscommented, Jun 28, 2014

I understand that using client_secret with a public client seems redundant. It does remain, however, part of RFC6749 § 2.3 which states:

The authorization server MAY establish a client authentication method with public clients.

Since it is part of the specification, I see no reason not to support it (even if you choose not to promote it). Why not add the headers if the appropriate configuration variables are set? e.g. in oauth2#init:

this.clientId = globalConfig.clientId || "";
this.clientSecret = globalConfig.clientSecret || "";

and in oauth2#makeRequest:

if (this.clientId !== "" && this.clientSecret !== "") {
  headers = { "Authorization": "Basic " + btoa(this.clientId + ":" + this.clientSecret) };
} else {
  headers = {};
}
return Ember.$.ajax({
  url: this.serverTokenEndpoint,
  headers: headers,
  ...

I don’t see a reason to put the burden of overriding the method on the user when the behavior is explicitly outlined in the Proposed Standard.

Read more comments on GitHub >

github_iconTop Results From Across the Web

The Client ID and Secret - OAuth 2.0 Simplified
Client Secret. The client_secret is a secret known only to the application and the authorization server. It is essential the application's ...
Read more >
Getting Google OAuth2 Client ID and Client Secret - ITNEXT
Once you are in the Credentials section of API & Services, click on Configure Consent Screen. On the next page, choose External click...
Read more >
Create google oauth credentials Client Id and Client Secret
ASP NET Core google authentication setting up the UI · OAuth 2.0 and OpenID Connect (in plain English) ·.NET 6 Web API Create...
Read more >
Getting OAuth client ID, client secret, access token, and ... - IBM
In the Google Cloud Platform, you configure details for OAuth 2.0 authentication and authorization in a project. You can either use an existing...
Read more >
Configure OAuth 2.0 client applications
Complete the following fields on the Add OAuth2 Application dialog: Name: Enter a suitable name for this client application. Client ID:.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

There's no session.restore callback

Next page

ember-simple-auth-devise invalidate() does nothing