github/pocket-id
1
1
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-01-11 15:28:16 -05:00
Code Issues Packages Projects Releases Wiki Activity

🐛 Bug Report: Device Code flow should not require a client secret #80

New Issue
Closed
opened 2025-07-08 08:39:12 -04:00 by AtHeartEngineer · 0 comments
AtHeartEngineer commented 2025-07-08 08:39:12 -04:00
Owner
Copy Link

Originally created by @ItalyPaleAle on 6/9/2025

Reproduction steps

When using the Device Code flow with Pocket ID, calls to the /api/oidc/device/authorize require a client_secret

Expected behavior

Per RFC 8628 sec 3.1 the device authorization request endpoint should not require a client secret. This is because clients are assumed to be public.

Section 5.6 calls this out:

Device clients are generally incapable of maintaining the confidentiality of their credentials, as users in possession of the device can reverse-engineer it and extract the credentials.

Actual Behavior

Client secret is required

Version and Environment

main branch

Log Output

No response

*Originally created by @ItalyPaleAle on 6/9/2025* ### Reproduction steps When using the Device Code flow with Pocket ID, calls to the `/api/oidc/device/authorize` require a `client_secret` ### Expected behavior Per [RFC 8628 sec 3.1](https://datatracker.ietf.org/doc/html/rfc8628#section-3.1) the device authorization request endpoint should not require a client secret. This is because clients are assumed to be public. [Section 5.6](https://datatracker.ietf.org/doc/html/rfc8628#section-5.6) calls this out: > Device clients are generally incapable of maintaining the confidentiality of their credentials, as users in possession of the device can reverse-engineer it and extract the credentials. ### Actual Behavior Client secret is required ### Version and Environment main branch ### Log Output _No response_
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
breaking
breaking
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
go
go
javascript
javascript
javascript
javascript
javascript
javascript
needs more upvotes
needs more upvotes
needs more upvotes
needs more upvotes
needs more upvotes
needs more upvotes
open to pull requests
open to pull requests
open to pull requests
open to pull requests
open to pull requests
No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
AtHeartEngineer
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pocket-id#80
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?