Hi,
I would like to implement OAuth2 using authorization code flow in my webapp. Could you tell me how to implement this flow without client authentication?
$ curl --insecure -X POST \
--url "https://127.0.0.1:8443/httpbin/oauth2/authorize" \
--data "response_type=code" \
--data "provision_key=JAnkP5RWqIwLEP4j66NLijmtmGPlqpMP" \
--data "authenticated_userid=test" \
--data "client_id=dns8Bn88T5XUivEYUZyxim9OFQqKIbDA"
{"redirect_uri":"http:\/\/localhost?code=bgiuB3YNm94RiH886Nz7lA9fYm2bdyg5"}
$ curl --insecure -X POST \
--url "https://127.0.0.1:8443/httpbin/oauth2/token" \
--data "grant_type=authorization_code" \
--data "redirect_uri=http://localhost" \
--data "code=bgiuB3YNm94RiH886Nz7lA9fYm2bdyg5" \
--data "client_id=dns8Bn88T5XUivEYUZyxim9OFQqKIbDA"
{"error_description":"Invalid client authentication","error":"invalid_client"}
According to rfc6749 - 4.1.3, I want to do like above since client_secret is NOT REQUIRED when my oauth2 application is a public client.
Thanks,
Masa