client confidentiality toggle

migrations/0004_quiet_wolfsbane.sql

@@ -0,0 +1 @@
+ALTER TABLE `o_auth2_client` ADD `confidential` tinyint DEFAULT 1 NOT NULL;

migrations/meta/_journal.json

@@ -29,6 +29,13 @@
       "when": 1717843139528,
       "tag": "0003_round_killmonger",
       "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "5",
+      "when": 1717853591270,
+      "tag": "0004_quiet_wolfsbane",
+      "breakpoints": true
     }
   ]
 }

src/lib/components/admin/AdminClientCard.svelte

@@ -33,6 +33,9 @@
 			<dt>{$t('admin.oauth2.verified')}</dt>
 			<dd>{$t(`common.bool.${Boolean(client.verified)}`)}</dd>
 
+			<dt>{$t('admin.oauth2.confidential')}</dt>
+			<dd>{$t(`common.bool.${Boolean(client.confidential)}`)}</dd>
+
 			<dt>{$t('admin.oauth2.created')}</dt>
 			<dd>{formatDate(client.created_at)}</dd>
 

src/lib/components/form/FormControl.svelte

@@ -39,6 +39,10 @@
 			padding: 1rem;
 			border-radius: 4px;
 		}
+
+		&[type='checkbox'] {
+			grid-area: box;
+		}
 	}
 
 	.form-control > :global(label) {
@@ -66,12 +70,20 @@
 	}
 
 	.form-control:has(input[type='checkbox']) {
-		flex-direction: row;
+		display: grid;
-		gap: 1rem;
+		grid-template-areas: 'box label' 'hint hint';
+		grid-template-columns: min-content auto;
+		justify-content: start;
+		column-gap: 1rem;
 		align-items: center;
 	}
 
+	.form-control:has(input[type='checkbox']) > :global(span) {
+		grid-area: hint;
+	}
+
 	.form-control:has(input[type='checkbox']) > :global(label) {
+		grid-area: label;
 		margin: 0;
 	}
 </style>

src/lib/i18n/en/admin.json

@@ -43,7 +43,8 @@
 		"scopesHint": "The level of access to information you will be needing for this application.",
 		"grants": "Available grant types",
 		"grantsHint": "The OAuth2 authorization flows you will be using with this application.",
-		"grantsWarning": "Please note that id_token, implicit and device_code grant types are less secure than other flows, as they do not require a server to authenticate this application with its secret and there is potential for impersonation. You might want to make a separate application for using these flows and give them access to less information.",
+		"confidential": "Confidential",
+		"confidentialHint": "Uncheck this checkbox if you cannot reasonably guarantee the secrecy of your Client secret, such as in the case of your application being a native (desktop, mobile, etc.) application. Unchecking this will allow you to get tokens without client authentication. Some functionality may be limited in public applications.",
 		"created": "Created at",
 		"owner": "Created by",
 		"ownerMe": "that's you!",
@@ -97,8 +98,8 @@
 			"client_credentials": "Client credentials",
 			"refresh_token": "Refresh token",
 			"device_code": "Device authorization",
-			"implicit": "Implicit token",
+			"implicit": "Implicit access token (not recommended)",
-			"id_token": "ID token (OpenID Connect)"
+			"id_token": "Implicit ID token (not recommended)"
 		},
 		"scopeTexts": {
 			"picture": "Access profile picture URL",

src/lib/server/drizzle/schema.ts

@@ -52,6 +52,7 @@ export const oauth2Client = mysqlTable(
 		grants: text('grants').default('authorization_code').notNull(),
 		activated: tinyint('activated').default(0).notNull(),
 		verified: tinyint('verified').default(0).notNull(),
+		confidential: tinyint('confidential').default(1).notNull(),
 		pictureId: int('pictureId').references(() => upload.id, { onDelete: 'set null' }),
 		ownerId: int('ownerId').references(() => user.id, { onDelete: 'set null' }),
 		created_at: datetime('created_at', { mode: 'date', fsp: 6 })

src/lib/server/oauth2/controller/authorization.ts

@@ -113,6 +113,12 @@ export class OAuth2AuthorizationController {
 			throw new InvalidGrant('Invalid code challenge method');
 		}
 
+		if (client.confidential === 0 && !codeChallenge && grantTypes.includes('authorization_code')) {
+			throw new InvalidGrant(
+				'A code_challenge is required for the authorization_code grant in non-confidential clients'
+			);
+		}
+
 		return {
 			client,
 			user: locals.user,

src/lib/server/oauth2/controller/device-authorization.ts

@@ -11,8 +11,8 @@ export class OAuth2DeviceAuthorizationController {
 		let clientId: string | null = null;
 		let clientSecret: string | null = null;
 		if (body.client_id) {
-			clientId = body.client_id;
+			clientId = body.client_id as string;
-			clientSecret = body.client_secret;
+			clientSecret = body.client_secret as string;
 		} else {
 			if (!request.headers?.has('authorization')) {
 				throw new InvalidRequest('No authorization header passed');
@@ -46,8 +46,10 @@ export class OAuth2DeviceAuthorizationController {
 			throw new InvalidClient('Client not found');
 		}
 
-		// This flow is the only one we allow to use public access (secret not required)
+		if (
-		if (clientSecret && !OAuth2Clients.checkSecret(client, clientSecret)) {
+			(client.confidential === 1 || clientSecret) &&
+			!OAuth2Clients.checkSecret(client, clientSecret)
+		) {
 			throw new UnauthorizedClient('Invalid client secret');
 		}
 

src/lib/server/oauth2/controller/token.ts

@@ -69,8 +69,8 @@ export class OAuth2TokenController {
 			throw new InvalidClient('Client not found');
 		}
 
-		// Device code flow does not require client authentication
+		// client_credentials cannot be fetched in public clients.
-		if (grantType !== 'device_code' || clientSecret) {
+		if (client.confidential === 1 || clientSecret || grantType === 'client_credentials') {
 			const valid = OAuth2Clients.checkSecret(client, clientSecret);
 			if (!valid) {
 				throw new UnauthorizedClient('Invalid client secret');

src/lib/server/oauth2/controller/tokens/authorizationCode.ts

@@ -61,7 +61,6 @@ export async function authorizationCode(
 	const userId = code.userId as number;
 	const clientId = client.client_id;
 
-	if (OAuth2Codes.getCodeChallenge) {
 	const { challenge, method } = OAuth2Codes.getCodeChallenge(code);
 
 	if (challenge && method) {
@@ -85,7 +84,6 @@ export async function authorizationCode(
 	}
 
 	// console.debug('Code passed PCKE check');
-	}
 
 	if (!OAuth2Clients.checkGrantType(client, 'refresh_token')) {
 		// console.debug('Client does not allow grant type refresh_token, skip creation');

src/lib/server/oauth2/controller/tokens/device.ts

@@ -5,6 +5,7 @@ import {
 	OAuth2AccessTokens,
 	OAuth2Clients,
 	OAuth2DeviceCodes,
+	OAuth2RefreshTokens,
 	OAuth2Tokens,
 	OAuth2Users
 } from '../../model';
@@ -55,6 +56,18 @@ export async function device(client: OAuth2Client, deviceCode: string) {
 		}
 	}
 
+	if (OAuth2Clients.checkGrantType(client, 'refresh_token')) {
+		try {
+			resObj.refresh_token = await OAuth2RefreshTokens.create(
+				user.id,
+				client.client_id,
+				cleanScope
+			);
+		} catch (err) {
+			throw new ServerError('Failed to call refreshTokens.create function');
+		}
+	}
+
 	resObj.expires_in = OAuth2Tokens.tokenTtl;
 
 	await OAuth2DeviceCodes.removeByCode(deviceCode);

src/lib/server/oauth2/model/client.ts

@@ -176,7 +176,7 @@ export class OAuth2Clients {
 		return list;
 	}
 
-	static checkSecret(client: OAuth2Client, secret: string) {
+	static checkSecret(client: OAuth2Client, secret: string | null) {
 		return client.client_secret === secret;
 	}
 
@@ -316,7 +316,13 @@ export class OAuth2Clients {
 		};
 	}
 
-	static async createClient(subject: User, title: string, redirect: string, description?: string) {
+	static async createClient(
+		subject: User,
+		title: string,
+		redirect: string,
+		description?: string,
+		confidential: boolean = true
+	) {
 		const uid = CryptoUtils.createUUID();
 		const secret = CryptoUtils.generateSecret();
 
@@ -330,7 +336,8 @@ export class OAuth2Clients {
 			ownerId: subject.id,
 			created_at: new Date(),
 			activated: 1,
-			verified: 0
+			verified: 0,
+			confidential: Number(confidential)
 		});
 
 		await DB.drizzle.insert(oauth2ClientUrl).values({

src/routes/ssoadmin/oauth2/[uuid]/+page.server.ts

@@ -25,6 +25,7 @@ interface UpdateRequest {
 	description: string;
 	activated?: string;
 	verified?: string;
+	confidential?: string;
 }
 
 interface AddPrivilegeRequest {
@@ -80,8 +81,9 @@ export const actions = {
 		const { details, fullPrivileges } = await getActionData(locals, uuid);
 
 		const body = await request.formData();
-		const { title, description, activated, verified } = Changesets.take<UpdateRequest>(
+		const { title, description, activated, verified, confidential } =
-			['title', 'description', 'activated', 'verified'],
+			Changesets.take<UpdateRequest>(
+				['title', 'description', 'activated', 'verified', 'confidential'],
 				body
 			);
 
@@ -90,6 +92,7 @@ export const actions = {
 		}
 
 		const actuallyVerified = fullPrivileges ? Number(!!verified) : undefined;
+		const actuallyConfidential = fullPrivileges ? Number(!!confidential) : undefined;
 		const actuallyActivated = Number(!!activated);
 
 		if (title && (title.length < 3 || title.length > 32)) {
@@ -104,7 +107,8 @@ export const actions = {
 			title,
 			description,
 			verified: actuallyVerified,
-			activated: actuallyActivated
+			activated: actuallyActivated,
+			confidential: actuallyConfidential
 		});
 
 		return { errors: [] };

src/routes/ssoadmin/oauth2/[uuid]/+page.svelte

@@ -102,6 +102,18 @@
 							/>
 						</FormControl>
 
+						<FormControl>
+							<label for="client-confidential">{$t('admin.oauth2.confidential')}</label>
+							<input
+								disabled={!data.fullPrivileges}
+								type="checkbox"
+								name="confidential"
+								id="client-confidential"
+								checked={Boolean(data.details.confidential)}
+							/>
+							<span>{$t('admin.oauth2.confidentialHint')}</span>
+						</FormControl>
+
 						<FormControl>
 							<label for="client-activated">{$t('admin.oauth2.activated')}</label>
 							<input
@@ -245,7 +257,6 @@
 
 	<h2>{$t('admin.oauth2.grants')}</h2>
 	<p>{$t('admin.oauth2.grantsHint')}</p>
-	<p><b>{$t('admin.oauth2.grantsWarning')}</b></p>
 
 	<form action="?/grants" method="POST">
 		<div class="checkbox-grid">

src/routes/ssoadmin/oauth2/new/+page.server.ts

@@ -7,6 +7,7 @@ interface CreateClientRequest {
 	title: string;
 	description: string;
 	redirectUri: string;
+	confidential?: string;
 }
 
 export const actions = {
@@ -16,8 +17,8 @@ export const actions = {
 		]);
 
 		const body = await request.formData();
-		const { title, description, redirectUri } = Changesets.take<CreateClientRequest>(
+		const { title, description, redirectUri, confidential } = Changesets.take<CreateClientRequest>(
-			['title', 'description', 'redirectUri'],
+			['title', 'description', 'redirectUri', 'confidential'],
 			body
 		);
 
@@ -33,7 +34,13 @@ export const actions = {
 			return fail(400, { errors: ['noRedirect'] });
 		}
 
-		const uuid = await OAuth2Clients.createClient(currentUser, title, redirectUri, description);
+		const uuid = await OAuth2Clients.createClient(
+			currentUser,
+			title,
+			redirectUri,
+			description,
+			!!confidential
+		);
 
 		return redirect(303, `/ssoadmin/oauth2/${uuid}`);
 	}

src/routes/ssoadmin/oauth2/new/+page.svelte

@@ -7,6 +7,7 @@
 	import { t } from '$lib/i18n';
 	import type { ActionData } from './$types';
 	import { env } from '$env/dynamic/public';
+	import SplitView from '$lib/components/container/SplitView.svelte';
 
 	export let form: ActionData;
 </script>
@@ -17,6 +18,7 @@
 
 <h1>{$t('admin.oauth2.new')}</h1>
 
+<SplitView>
 	<form action="" method="POST">
 		<FormWrapper>
 			<FormErrors errors={form?.errors || []} prefix="admin.oauth2.errors" />
@@ -27,6 +29,12 @@
 					<input name="title" id="form-title" required />
 				</FormControl>
 
+				<FormControl>
+					<label for="client-confidential">{$t('admin.oauth2.confidential')}</label>
+					<input type="checkbox" name="confidential" id="client-confidential" checked />
+					<span>{$t('admin.oauth2.confidentialHint')}</span>
+				</FormControl>
+
 				<FormControl>
 					<label for="form-redirectUri">{$t('admin.oauth2.urls.types.redirect_uri')}</label>
 					<input name="redirectUri" type="url" id="form-redirectUri" required />
@@ -41,3 +49,4 @@
 			<Button type="submit" variant="primary">{$t('common.submit')}</Button>
 		</FormWrapper>
 	</form>
+</SplitView>