0

This behaviour differs in the master branch and in the v4.0 branch of DotNetOpenAuth as of the moment of writing. I'm using Resource Owner Password Credentials grant type with a public client. The master branch issues a token as expected. The v4.0 branch considers the request invalid. The execution flow ends up in the AccessRequestBindingElement.ProcessIncomingMessage method, where the following code is executed:

// Check that the client secret is correct.
var client = this.AuthorizationServer.GetClientOrThrow(accessRequest.ClientIdentifier);
string secret = client.Secret;
ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls.

Since the client is public, the code generates a error. The comment in the code above however implies that the grant is client authenticated and not resource owner password credentials. Am I calling this wrongly?

In the master branch the same call works.

Andrew Savinykh
  • 25,351
  • 17
  • 103
  • 158

1 Answers1

1

v4.0 didn't support the scenario while the master branch (slated for v4.1) currently does. Whether DotNetOpenAuth continues to support public clients using the resource owner password grant type is still to be determined, as it causes issues with the authorization server's ability to revoke the tokens with a reasonable user experience if the user wants to review the authorized clients.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171