starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-02-05 00:39:38 +03:00
Code Issues 61 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Device Code flow should not require a client secret #335

New Issue
Closed
opened 2026-02-04 18:56:02 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-04 18:56:02 +03:00
Owner
Copy Link

Originally created by @ItalyPaleAle on GitHub (Jun 9, 2025).

Reproduction steps

When using the Device Code flow with Pocket ID, calls to the /api/oidc/device/authorize require a client_secret

Expected behavior

Per RFC 8628 sec 3.1 the device authorization request endpoint should not require a client secret. This is because clients are assumed to be public.

Section 5.6 calls this out:

Device clients are generally incapable of maintaining the confidentiality of their credentials, as users in possession of the device can reverse-engineer it and extract the credentials.

Actual Behavior

Client secret is required

Version and Environment

main branch

Log Output

No response

Originally created by @ItalyPaleAle on GitHub (Jun 9, 2025). ### Reproduction steps When using the Device Code flow with Pocket ID, calls to the `/api/oidc/device/authorize` require a `client_secret` ### Expected behavior Per [RFC 8628 sec 3.1](https://datatracker.ietf.org/doc/html/rfc8628#section-3.1) the device authorization request endpoint should not require a client secret. This is because clients are assumed to be public. [Section 5.6](https://datatracker.ietf.org/doc/html/rfc8628#section-5.6) calls this out: > Device clients are generally incapable of maintaining the confidentiality of their credentials, as users in possession of the device can reverse-engineer it and extract the credentials. ### Actual Behavior Client secret is required ### Version and Environment main branch ### Log Output _No response_
OVERLORD added the bug label 2026-02-04 18:56:02 +03:00
OVERLORD commented 2026-02-04 18:56:23 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub (Jun 9, 2025):

Correct, You need to check the Public client option to use the device code properly. Im not sure this is a bug but maybe a documentation issue, as when if a public client is used everything works correctly.

@kmendell commented on GitHub (Jun 9, 2025): Correct, You need to check the Public client option to use the device code properly. Im not sure this is a bug but maybe a documentation issue, as when if a public client is used everything works correctly.
OVERLORD commented 2026-02-04 18:56:34 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub (Jun 9, 2025):

Right now it's possible to pass a client secret and the OidcDeviceAuthorizationRequestDto struct has a property for it. And if you pass one, it's validated. Should maybe be removed entirely, and throw an error if client isn't public?

@ItalyPaleAle commented on GitHub (Jun 9, 2025): Right now it's possible to pass a client secret and the `OidcDeviceAuthorizationRequestDto` struct has a property for it. And if you pass one, it's validated. Should maybe be removed entirely, and throw an error if client isn't public?
OVERLORD commented 2026-02-04 18:56:46 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub (Jun 9, 2025):

Clients that use the device code flow can also be confidential, and if they are, they require a client secret. In section 3.1:

The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves.

This probably means that we would also have to implement federated client credentials for this endpoint, right?

@stonith404 commented on GitHub (Jun 9, 2025): Clients that use the device code flow can also be confidential, and if they are, they require a client secret. In section 3.1: > The client authentication requirements of [Section 3.2.1 of [RFC6749]](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves. This probably means that we would also have to implement federated client credentials for this endpoint, right?
OVERLORD commented 2026-02-04 18:56:57 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub (Jun 9, 2025):

Thanks I missed that paragraph. Yes we would need to add federated credentials there too, I can update my latest PR.

@ItalyPaleAle commented on GitHub (Jun 9, 2025): Thanks I missed that paragraph. Yes we would need to add federated credentials there too, I can update my latest PR.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
bug
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#335
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?