oauthutil: clear client secret if client ID is set

When an external OAuth flow is being used (i.e. a client ID and an
OAuth token are set in the config), a client secret should not be set.
If one is, the server may reject a token refresh attempt.

But there's no way to clear out a backend's default client secret via
configuration, since empty-string config values are ignored.

So instead, when a client ID is set, we should clear out any default
client secret, since it wouldn't apply anyway.
This commit is contained in:
Michael Terry 2024-04-27 20:36:41 -04:00 committed by Nick Craig-Wood
parent 5b8cdaff39
commit cd76fd9219

View File

@ -376,6 +376,9 @@ func overrideCredentials(name string, m configmap.Mapper, origConfig *oauth2.Con
ClientID, ok := m.Get(config.ConfigClientID) ClientID, ok := m.Get(config.ConfigClientID)
if ok && ClientID != "" { if ok && ClientID != "" {
newConfig.ClientID = ClientID newConfig.ClientID = ClientID
// Clear out any existing client secret since the ID changed.
// (otherwise it's impossible for a config to clear the secret)
newConfig.ClientSecret = ""
changed = true changed = true
} }
ClientSecret, ok := m.Get(config.ConfigClientSecret) ClientSecret, ok := m.Get(config.ConfigClientSecret)