You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Additionally, I found the client_secret to be mandatory in the constructors of OIDTVAuthorizationRequest (the ones relevant to the device workflow), however, the RFC doesn't mention client_secret to be used for the authorization endpoint as the workflow is designed for public clients. Should that be optional?
According to https://www.rfc-editor.org/rfc/rfc8628#section-3.4 when requesting a token during the device workflow the client_id is required when the client is not able to authenticate to the IDP.
This code shows, that only the device_code and user_code are used in the request:
https://github.com/openid/AppAuth-iOS/blob/c89ed571ae140f8eb1142735e6e23d7bb8c34cb2/Sources/AppAuthTV/OIDTVTokenRequest.m#L160C1-L172C2
Should that be amended to include the client_id as well?
The text was updated successfully, but these errors were encountered: