Bug 1599054 - allow callers to ommit sending OAuth2 client_secret parameter. r=mkmelin
authorJohn Bieling <john.bieling@gmx.de>
Sun, 01 Dec 2019 12:52:35 +0200
changeset 36759 8c2f8de771068d5bc849a4e1c5c33329f1e7ea01
parent 36758 7dcc5e7050596410102eb42e30fdf1003e3477d8
child 36760 a0470cab33c08920a9b7644048e36144ce05d396
push id2534
push userclokep@gmail.com
push dateMon, 02 Dec 2019 19:52:51 +0000
treeherdercomm-beta@055c50840778 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmkmelin
bugs1599054
Bug 1599054 - allow callers to ommit sending OAuth2 client_secret parameter. r=mkmelin
mailnews/base/util/OAuth2.jsm
--- a/mailnews/base/util/OAuth2.jsm
+++ b/mailnews/base/util/OAuth2.jsm
@@ -11,17 +11,31 @@ var EXPORTED_SYMBOLS = ["OAuth2"];
 const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
 const { Log4Moz } = ChromeUtils.import("resource:///modules/gloda/log4moz.js");
 
 Cu.importGlobalProperties(["fetch"]);
 
 // Only allow one connecting window per endpoint.
 var gConnecting = {};
 
-function OAuth2(aBaseURI, aScope, aAppKey, aAppSecret) {
+/**
+ * Constructor for the OAuth2 object.
+ *
+ * @constructor
+ * @param {string} aBaseURI - The base URI for authentication and token
+ *   requests, oauth2/auth or oauth2/token will be added for the actual
+ *   requests.
+ * @param {?string} aScope - The scope as specified by RFC 6749 Section 3.3.
+ *   Will not be included in the requests if falsy.
+ * @param {string} aAppKey - The client_id as specified by RFC 6749 Section
+ *   2.3.1.
+ * @param {string} [aAppSecret=null] - The client_secret as specified in
+ *    RFC 6749 section 2.3.1. Will not be included in the requests if null.
+ */
+function OAuth2(aBaseURI, aScope, aAppKey, aAppSecret = null) {
   this.authURI = aBaseURI + "oauth2/auth";
   this.tokenURI = aBaseURI + "oauth2/token";
   this.consumerKey = aAppKey;
   this.consumerSecret = aAppSecret;
   this.scope = aScope;
   this.extraAuthParams = [];
 
   this.log = Log4Moz.getConfiguredLogger("TBOAuth");
@@ -196,17 +210,22 @@ OAuth2.prototype = {
    * @param {boolean} aRefresh - Whether it's a refresh of a token or not.
    */
   requestAccessToken(aCode, aRefresh) {
     // @see RFC 6749 section 4.1.3. Access Token Request
     // @see RFC 6749 section 6. Refreshing an Access Token
 
     let data = new URLSearchParams();
     data.append("client_id", this.consumerKey);
-    data.append("client_secret", this.consumerSecret);
+    if (this.consumerSecret !== null) {
+      // Section 2.3.1. of RFC 6749 states that empty secrets MAY be omitted
+      // by the client. This OAuth implementation delegates this decission to
+      // the caller: If the secret is null, it will be omitted.
+      data.append("client_secret", this.consumerSecret);
+    }
 
     if (aRefresh) {
       this.log.info(
         `Making a refresh request to the token endpoint: ${this.tokenURI}`
       );
       data.append("grant_type", "refresh_token");
       data.append("refresh_token", aCode);
     } else {