dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

Dex Device Flow requires client_secret which is not RFC8628 compliant

Open devoxel opened this issue 1 year ago • 3 comments

Preflight Checklist

  • [x] I agree to follow the Code of Conduct that this project adheres to.
  • [x] I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • [x] I am not looking for support or already pursued the available support channels without success.

Expected Behavior

When handling a Device Authorization Grant, a RFC8628-compliant client will not send the client secret.

Actual Behavior

If you don't provide a secret, you get an "Invalid client credentials" error. See server/deviceflowhandlers.go#L74.

Steps To Reproduce

Use an RFC8628 compliant client, or just set your client-secret in your client to an empty string.

Additional Information

Dex does have the ability to use "public: true" on clients, which restricts some activity. However, there should be no need to include client secret credentials in clients, so if somebody does not know that they need to configure their client as public, they could end up leaking credentials.

The only reason to tangible security reason to include the secret is if somebody is using Device Flow in a situation where their secret is actually secret. But in that case, they have no reason to be using this flow in the first place.

devoxel avatar Feb 12 '25 10:02 devoxel

which restricts some activity.

@devoxel could you help me please, I didn't get the idea. Why it is not possible to use public clients? Which activity should be restricted?

I also would like to know what is your client configuration in dex. Did you set the empty password for a non-public client?

nabokihms avatar Feb 20 '25 13:02 nabokihms

It is possible to use public clients. But the issue is that RFC compliant clients will not send the client secret. An example is github.com/cli/oauth.

I created a reproduction to be more obvious: https://github.com/devoxel/example-deviceflow-issue and used a fork of oauth to show that it works when you present a client secret.

I realised while doing this repo, it is possible to use these RFC compliant clients if you set your client secret to "".

devoxel avatar Feb 20 '25 16:02 devoxel

@nabokihms you have to always set a secret and pass a secret for this to work. If you look at the GitHub Actions example, a secret is passed for the client ID when it's not used or not needed.

cardoe avatar Sep 03 '25 02:09 cardoe