Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: Allow Client Secret for OAuth2 Authentication #3572

Open
1 task done
Dan6erbond opened this issue Nov 21, 2023 · 1 comment · May be fixed by #3573
Open
1 task done

[bug]: Allow Client Secret for OAuth2 Authentication #3572

Dan6erbond opened this issue Nov 21, 2023 · 1 comment · May be fixed by #3573
Labels
bug Something isn't working need testing Needs to be tested before merging onto production

Comments

@Dan6erbond
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

Previously Hoppscotch would allow setting no client secret for OAuth2 authentication, which would then trigger the client credentials flow for providers such as Azure AD.

The recent 2023.8.4 release adds validation for the clientSecret that forces users to set it, which will trigger the authorization code flow.

However, authorization code cannot be used, because Hoppscotch's final token exchange happens on the client, where Azure AD has CORS headers that block the request as well as a check on the Origin header, throwing the following error with a 400 Bad Request:

AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'https://hoppscotch.io'.

Steps to reproduce

  1. Create a request to an authorized API with OAuth2.
  2. Set authorization type to "OAuth 2.0".
  3. Configure the authorization code flow by setting client secret / client credentials flow by removing it.
  4. Click "Generate Token".

Environment

Production

Version

Cloud
@Dan6erbond Dan6erbond added bug Something isn't working need testing Needs to be tested before merging onto production labels Nov 21, 2023
@liyasthomas
Copy link
Member

@amk-dev can you look into this?

@Dan6erbond Dan6erbond linked a pull request Nov 21, 2023 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working need testing Needs to be tested before merging onto production
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bug: remove mandatory client secret variable Dan6erbond/hoppscotch
2 participants
@liyasthomas @Dan6erbond