gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-11-27 18:10:58 +00:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity

Ensure only confidential clients can use Client Credentials grant flow

Browse Source
This commit is contained in:
Emelia Smith 2024-05-16 17:12:47 +02:00
parent ca4139be07
commit 5c6ad1a0e5
No known key found for this signature in database
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/initializers/doorkeeper.rb
View File

@ -167,6 +167,16 @@ Doorkeeper.configure do
grant_flows %w(authorization_code client_credentials)
# If the client is not a confidential client, it should not be able to use the
# client_credentials grant flow, since it cannot keep a secret.
allow_grant_flow_for_client do |grant_flow, client|
if grant_flow == Doorkeeper::OAuth::CLIENT_CREDENTIALS
client.confidential?
else
true
end
end
# Under some circumstances you might want to have applications auto-approved,
# so that the user skips the authorization step.
# For example if dealing with a trusted application.