Authorization Code Flow without Client Authentication

Hi,

I would like to implement OAuth2 using authorization code flow in my webapp. Could you tell me how to implement this flow without client authentication?

$ curl --insecure -X POST \
    --url "https://127.0.0.1:8443/httpbin/oauth2/authorize" \
    --data "response_type=code" \
    --data "provision_key=JAnkP5RWqIwLEP4j66NLijmtmGPlqpMP" \
    --data "authenticated_userid=test" \
    --data "client_id=dns8Bn88T5XUivEYUZyxim9OFQqKIbDA"
{"redirect_uri":"http:\/\/localhost?code=bgiuB3YNm94RiH886Nz7lA9fYm2bdyg5"}

$ curl --insecure -X POST \
    --url "https://127.0.0.1:8443/httpbin/oauth2/token" \
    --data "grant_type=authorization_code" \
    --data "redirect_uri=http://localhost" \
    --data "code=bgiuB3YNm94RiH886Nz7lA9fYm2bdyg5" \
    --data "client_id=dns8Bn88T5XUivEYUZyxim9OFQqKIbDA"
{"error_description":"Invalid client authentication","error":"invalid_client"}

According to rfc6749 - 4.1.3, I want to do like above since client_secret is NOT REQUIRED when my oauth2 application is a public client.

Thanks,
Masa


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ