From cd76fd9219ee0e3ad4f31e51f4a3c82c86b25955 Mon Sep 17 00:00:00 2001 From: Michael Terry Date: Sat, 27 Apr 2024 20:36:41 -0400 Subject: [PATCH] oauthutil: clear client secret if client ID is set When an external OAuth flow is being used (i.e. a client ID and an OAuth token are set in the config), a client secret should not be set. If one is, the server may reject a token refresh attempt. But there's no way to clear out a backend's default client secret via configuration, since empty-string config values are ignored. So instead, when a client ID is set, we should clear out any default client secret, since it wouldn't apply anyway. --- lib/oauthutil/oauthutil.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/oauthutil/oauthutil.go b/lib/oauthutil/oauthutil.go index 7b0fb9d9d..2f3d5278f 100644 --- a/lib/oauthutil/oauthutil.go +++ b/lib/oauthutil/oauthutil.go @@ -376,6 +376,9 @@ func overrideCredentials(name string, m configmap.Mapper, origConfig *oauth2.Con ClientID, ok := m.Get(config.ConfigClientID) if ok && ClientID != "" { newConfig.ClientID = ClientID + // Clear out any existing client secret since the ID changed. + // (otherwise it's impossible for a config to clear the secret) + newConfig.ClientSecret = "" changed = true } ClientSecret, ok := m.Get(config.ConfigClientSecret)