Optional client secret

[pulapura]

The org.springframework.security.oauth2.provider.Clien tDetails class has a method called isSecretRequired(). I was assuming that this could be used to avoid having to require client secrets from public clients. However, I do not see this method being used anywhere in the framework. Where is this method meant to be used in the flow?

Thanks

[Dave Syer]

I think it's a historical artifact. Feel free to use it if you want, but the framework doesn't need to particularly as things stand because it expects a standard BasicAuthenticationFilter to be adequate for most purposes.

[pulapura]

Thanks. Does that mean that the general expectation is to have all clients send in a client id and client secret irrespective of whether they are confidential or public clients?

I am trying to understand if requiring these from public clients gives them a false sense of security about their credentials being actually secret or secure.

[Dave Syer]

I don't really see what bearing a method in a server-side interface has on the behaviour of clients. By "public" clients do you mean those without secrets? If so then they would normally only be allowed to use the implicit grant type (which requires no client authentication). If they are allowed to use the token endpoint, then I suppose they are going to have to send an Authorization header, unless you provide a custom auth filter.

[pulapura]

By public clients I mean mobile applications, native applications etc. Unfortunately, its never clear what to do with these clients with OAuth. I guess I have to use the implicit grant type for these.

[Dave Syer]

You can use (e.g.) password grants if you like. You just have to send an empty secret (by default).

[pulapura]

Thanks, I think thats what I will do. I appreciate your replies.