oauthutil: clear client secret if client ID is set

When an external OAuth flow is being used (i.e. a client ID and an OAuth token are set in the config), a client secret should not be set. If one is, the server may reject a token refresh attempt. But there's no way to clear out a backend's default client secret via configuration, since empty-string config values are ignored. So instead, when a client ID is set, we should clear out any default client secret, since it wouldn't apply anyway.
2024-11-07 09:04:52 +01:00 · 2024-04-27 20:36:41 -04:00 · 2024-04-27 20:36:41 -04:00 · cd76fd9219
commit cd76fd9219
parent 5b8cdaff39
1 changed files with 3 additions and 0 deletions
--- a/lib/oauthutil/oauthutil.go
+++ b/lib/oauthutil/oauthutil.go
@ -376,6 +376,9 @@ func overrideCredentials(name string, m configmap.Mapper, origConfig *oauth2.Con
 	ClientID, ok := m.Get(config.ConfigClientID)
 	if ok && ClientID != "" {
 		newConfig.ClientID = ClientID
+		// Clear out any existing client secret since the ID changed.
+		// (otherwise it's impossible for a config to clear the secret)
+		newConfig.ClientSecret = ""
 		changed = true
 	}
 	ClientSecret, ok := m.Get(config.ConfigClientSecret)