Stop supporting Resource Owner Password Credentials Grant without client credentials after upgrading to Doorkeeper 5.5
Summary
This is a follow-up to !32878 (merged).
Doorkeeper 5.5 (not yet released) will drop support for ROPC grants without client credentials, or potentially keep supporting this with a configuration option.
As explained in the linked MR, the OAuth applications created in GitLab always generate a client_id
and client_secret
, so to conform with RFC 6749 we MUST always require client credentials:
The authorization server MUST:
o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),
Improvements
- Change the spec
when no client credentials provided
inspec/requests/api/oauth_tokens_spec.rb
to fail. - Enable the pending spec
with invalid credentials
inspec/requests/api/oauth_tokens_spec.rb
.
Risks
This might break some clients, but since this was never supported behaviour and we updated the docs in !32878 (merged) to indicate the requirement for client credentials, this should be acceptable.