mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-16 05:54:01 +03:00
[PR #836] [MERGED] fix: ignore client secret if client is public #948
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/pocket-id/pocket-id/pull/836
Author: @James18232
Created: 8/16/2025
Status: ✅ Merged
Merged: 8/16/2025
Merged by: @stonith404
Base:
main← Head:fix-public-flow-auth📝 Commits (1)
b962975fix: client secret being checked for public clients📊 Changes
1 file changed (+2 additions, -2 deletions)
View changed files
📝
backend/internal/service/oidc_service.go(+2 -2)📄 Description
feat to allow a user to specify a (Confidential + PKCE) Client as a Public Client instead.
This is necessary for clients setup as confidential + PKCE authorization that do not protect client secrets properly.
One example is ownCloud OCIS ( Desktop/Android/IOS ) - the client secret is expected to be a hard coded/public value - see https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris)
This is incorrect implementation by the service, however PocketID should ignore any client secret attached to a request for access from a Public Client as the spec does not expect this. This will allow support for these services as Public clients for now (once custom Client ID support is implemented).
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.