fix: show client secret input for PKCE auth code flow

PKCE and Client Secrets are allowed to coexist and neither is designed as a replacement for the other. [1] It is wrong to assume that a client secret must not or cannot be used in combination with PKCE. Quite the opposite, when possible both PKCE and client secret should be used. [2] So the premises of swagger-api#6290 and swagger-api#8146 are not correct. Admittedly, for users of the PKCE mechanism WITHOUT a client secret it might be a minor nuisance to see the client secret input in the Swagger UI. But they can just leave it empty. On the other hand, for users of the PKCE mechanism WITH a client secret it is more than just a nuisance if the client secret input is not shown. The Swagger UI becomes unusable for them (unless they've set a default value for the client secret, which will be used hiddenly without being shown to the user). Therefore the right course of action for now would be to revert swagger-api#7438 to show the client secret input always regardless of PKCE. In the future a new flag could be introduced to hide the client secret input regardless of the PKCE flag. [1] https://oauth.net/2/pkce/ [2] https://www.oauth.com/oauth2-servers/pkce/
Phoosha · Nov 2, 2022 · 645ecd5 · 645ecd5
1 parent cced547
commit 645ecd5
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/src/core/components/auth/oauth2.jsx b/src/core/components/auth/oauth2.jsx
@@ -212,7 +212,7 @@ export default class Oauth2 extends React.Component {
         }
 
         {
-          ( (flow === AUTH_FLOW_APPLICATION || flow === AUTH_FLOW_ACCESS_CODE && !isPkceCodeGrant || flow === AUTH_FLOW_PASSWORD) && <Row>
+          ( (flow === AUTH_FLOW_APPLICATION || flow === AUTH_FLOW_ACCESS_CODE || flow === AUTH_FLOW_PASSWORD) && <Row>
             <label htmlFor="client_secret">client_secret:</label>
             {
               isAuthorized ? <code> ****** </code>

diff --git a/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js b/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js
@@ -1,5 +1,5 @@
 describe("Check client_secret for OAuth2 Authorization Code flow with and without PKCE (#6290)", () => {
-  it("should not display client_secret field for authorization code flow with PKCE", () => {
+  it("should display client_secret field for authorization code flow with PKCE", () => {
     cy.visit(
       "/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
     )
@@ -19,7 +19,7 @@ describe("Check client_secret for OAuth2 Authorization Code flow with and withou
       .get(".flow")
       .contains("authorizationCode with PKCE")
       .get("#client_secret")
-      .should("not.exist")
+      .should("exist")
   })
 
   it("should display client_secret field for authorization code flow without PKCE", () => {