redirect_uri is required for client_credentials consumers

Created on 23 January 2024, 11 months ago
Updated 12 December 2024, 10 days ago

Problem/Motivation

redirect_uri is used by the authorization_code to ensure that the (web/mobile) application requesting the authorization code is the correct one. In the client_credentials grant type it's not used because it's understood there is a direct connection between the client and server (rather than going through a user's browser) which is authenticated with a client_id and secret. This means no redirects take place and redirect_uri is not needed.

redirect_uri is currently part of a multi-value field which is always required. This means that consumers which only use the client_credentials grant type (i.e. fully machine-to-machine applications) can not be created without filling in a dummy redirect URI.

Steps to reproduce

Proposed resolution

Make the field only required under the "authorization code" field group when that grant type is enabled. Similar to what happens for fields such as "Use PKCE".

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

6.0

Component

Code

Created by

🇳🇱Netherlands kingdutch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024