From 7b1f6b88572bac1f3e838a9e904917fbd5fbdf61 Mon Sep 17 00:00:00 2001
From: James18232 <180368042+James18232@users.noreply.github.com>
Date: Sun, 17 Aug 2025 01:55:32 +1000
Subject: [PATCH] fix: ignore client secret if client is public (#836)

Co-authored-by: James18232 <80368042+James18232@users.noreply.github.com>
---
 backend/internal/service/oidc_service.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go
index fada6a25..be3407ce 100644
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -1462,8 +1462,8 @@ func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *g
 
 	// Validate credentials based on the authentication method
 	switch {
-	// First, if we have a client secret, we validate it
-	case input.ClientSecret != "":
+	// First, if we have a client secret, we validate it unless client is marked as public
+	case input.ClientSecret != "" && !client.IsPublic:
 		err = bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(input.ClientSecret))
 		if err != nil {
 			return nil, &common.OidcClientSecretInvalidError{}