Skip to content

Commit

Permalink
Fixed the 'client_id' validation – required for the Auth Code Flow only
Browse files Browse the repository at this point in the history
  • Loading branch information
Alex Klaus committed Nov 4, 2024
1 parent d6b3cba commit ba250da
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion OpenIdDict.Server/Authorisation/OpenIdDictEvents.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ internal static class OpenIdDictEvents
internal static Func<OpenIddictServerEvents.ValidateTokenRequestContext, ValueTask> ValidateTokenRequestFunc(AppSettings.AuthCredentialsSettings authSettings) =>
validateTokenRequestContext =>
{
if (!string.Equals(validateTokenRequestContext.ClientId, authSettings.ClientId, StringComparison.OrdinalIgnoreCase))
if (validateTokenRequestContext.Request.IsAuthorizationCodeFlow() // Auth Code Flows must provide a predefined client_id
&& !string.Equals(validateTokenRequestContext.ClientId, authSettings.ClientId, StringComparison.OrdinalIgnoreCase))
{
validateTokenRequestContext.Reject(
error: OpenIddictConstants.Errors.InvalidClient,
Expand Down

0 comments on commit ba250da

Please sign in to comment.