From db66198385017dd23332974afcb6cad26638b81e Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Thu, 16 May 2024 17:12:47 +0200 Subject: [PATCH] Ensure only confidential clients can use Client Credentials grant flow --- config/initializers/doorkeeper.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index 83100b1cf5..8be6c52e9a 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -172,6 +172,16 @@ Doorkeeper.configure do grant_flows %w(authorization_code password client_credentials) + # If the client is not a confidential client, it should not be able to use the + # client_credentials grant flow, since it cannot keep a secret. + allow_grant_flow_for_client do |grant_flow, client| + if grant_flow == Doorkeeper::OAuth::CLIENT_CREDENTIALS + client.confidential? + else + true + end + end + # Under some circumstances you might want to have applications auto-approved, # so that the user skips the authorization step. # For example if dealing with a trusted application.