View Source Notes about confidential clients

This server manage confidential clients as stated in OAuth 2.0 RFC. Clients have a confidential attribute as a boolean to state if the client is set to be confidential. Confidential clients enforce check of client secret in some cases. Here is described how this implementation manage them for each flow:

  • Client Credentials - always enforces check of client secret
  • Authorization Code Grant - enforces check of client secret only for confidential clients on access token request, does not check client secret during authorization phase
  • Hybrid Flow - has the same behavior as the authorization code grant
  • Implicit Grant - does not check client secret
  • Resource Owner Password Credentials - enforces check of client secret only for confidential clients
  • Refresh Token - always enforces check of client secret, public_refresh_token overrides the confidentiality
  • Introspect - always enforces check of client secret
  • Revoke - always enforces check of client secret, public_revoke overrides the confidentiality