How to restrict OAuth2 Credentials Grant Type flow using Doorkeeper

Question

I'm using Doorkeeper to handle OAuth2 authorization in my web application.

Since I am the owner of the web application I should be able to use the Password Credentials grant type using only a client_id and the user credentials.

I am wondering if there is a way to white list the applications that are allowed to use this flow?

My concern is that if there is no way do whitelist them, what could stop a evil user to gather my users credentials? He could take my client_id token and use it to build its own authentication interface. He would basically just ask for user credentials and send a token request to my OAuth2 provider on my behalf, using my client_id token.

Am I missing something here?

Answer 1

Your concern is legit and you are absolutely right. Doorkeeper does not require client credentials on password grant, see why here.

As I was doing some research on the subject, I stumble upon these anwser :

• https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-73836639
• How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type

One solution suggested in the first link is : don't use password grant.

Another one is : you can implement a custom client authentication on top of doorkeeper's resource owner password credentials grant.

I know I didn't offer my own help and copy paste some refs, but as I was also searching for an answer, I see no reason to let you without one. I know this question is old, but it's still unanswered. Hope that still helps some people.