AppAuth-iOS icon indicating copy to clipboard operation
AppAuth-iOS copied to clipboard
verified publisher icon openid

Device workflow is missing the client_id parameter in token requests

Open ronnybremer opened this issue 1 year ago • 2 comments

According to https://www.rfc-editor.org/rfc/rfc8628#section-3.4 when requesting a token during the device workflow the client_id is required when the client is not able to authenticate to the IDP.

This code shows, that only the device_code and user_code are used in the request: https://github.com/openid/AppAuth-iOS/blob/c89ed571ae140f8eb1142735e6e23d7bb8c34cb2/Sources/AppAuthTV/OIDTVTokenRequest.m#L160C1-L172C2

Should that be amended to include the client_id as well?

ronnybremer avatar Jun 09 '24 10:06 ronnybremer

Additionally, I found the client_secret to be mandatory in the constructors of OIDTVAuthorizationRequest (the ones relevant to the device workflow), however, the RFC doesn't mention client_secret to be used for the authorization endpoint as the workflow is designed for public clients. Should that be optional?

ronnybremer avatar Jun 09 '24 10:06 ronnybremer

I am facing the same issue. Additionally, when I add the client_id and client_secret to the body, I get invalid_client error.

This is for LinkedIn.

akm-masuduzzaman avatar Aug 28 '24 00:08 akm-masuduzzaman