mirrors/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-01-10 04:06:27 +01:00
Code Issues Projects Releases Wiki Activity

Ensure only confidential clients can use Client Credentials grant flow

Browse Source
This commit is contained in:
Emelia Smith 2024-05-16 17:12:47 +02:00
parent 28411acebb
commit db66198385
No known key found for this signature in database
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/initializers/doorkeeper.rb
View File

@ -172,6 +172,16 @@ Doorkeeper.configure do
grant_flows %w(authorization_code password client_credentials) grant_flows %w(authorization_code password client_credentials)
# If the client is not a confidential client, it should not be able to use the
# client_credentials grant flow, since it cannot keep a secret.
allow_grant_flow_for_client do |grant_flow, client|
if grant_flow == Doorkeeper::OAuth::CLIENT_CREDENTIALS
client.confidential?
else
true
end
end
# Under some circumstances you might want to have applications auto-approved, # Under some circumstances you might want to have applications auto-approved,
# so that the user skips the authorization step. # so that the user skips the authorization step.
# For example if dealing with a trusted application. # For example if dealing with a trusted application.