Merge pull request #221 from DuendeSoftware/ev/bff/allow-empty-clientsecret

Erwinvandervalk · web-flow · commit d8d1bff417c7 · 2025-07-15T13:28:43.000+02:00
allow empty clientsecret and fix clientid null in sample
diff --git a/access-token-management/samples/BlazorServer/Plumbing/OidcEvents.cs b/access-token-management/samples/BlazorServer/Plumbing/OidcEvents.cs
@@ -23,7 +23,10 @@ public override async Task TokenValidated(TokenValidatedContext context)
             AccessTokenType = AccessTokenType.Parse(context.TokenEndpointResponse.TokenType),
             RefreshToken = RefreshToken.Parse(context.TokenEndpointResponse.RefreshToken),
             Scope = Scope.Parse(context.TokenEndpointResponse.Scope),
-            ClientId = ClientId.Parse(context.ProtocolMessage.ClientId),
+
+            // The clientid isn't always returned from the protocol response.
+            // Either get it from IOptions<OpenIdConnectOptions> or hard code it like below. 
+            ClientId = ClientId.Parse(context.TokenEndpointResponse.ClientId ?? "interactive.confidential.short"),
             IdentityToken = IdentityToken.Parse(context.TokenEndpointResponse.IdToken),
             Expiration = exp,
         });
diff --git a/access-token-management/src/AccessTokenManagement/ClientCredentialsClient.cs b/access-token-management/src/AccessTokenManagement/ClientCredentialsClient.cs
@@ -95,11 +95,6 @@ public ValidateOptionsResult Validate(string? name, ClientCredentialsClient opti
                 errors.Add($"{nameof(options.TokenEndpoint)} cannot be null for {subject}");
             }
 
-            if (options.ClientSecret == null)
-            {
-                errors.Add($"{nameof(options.ClientSecret)} cannot be null for {subject}");
-            }
-
             if (errors.Any())
             {
                 return ValidateOptionsResult.Fail(errors);
diff --git a/access-token-management/src/AccessTokenManagement/Internal/ClientCredentialsTokenClient.cs b/access-token-management/src/AccessTokenManagement/Internal/ClientCredentialsTokenClient.cs
@@ -40,11 +40,6 @@ public virtual async Task<TokenResult<ClientCredentialsToken>> RequestAccessToke
             throw new InvalidOperationException($"No TokenEndpoint configured for client {clientName}");
         }
 
-        if (client.ClientSecret == null)
-        {
-            throw new InvalidOperationException($"No ClientSecret configured for client {clientName}");
-        }
-
         using var logScope = logger.BeginScope(
             (OTelParameters.ClientId, client.ClientId)
         );
diff --git a/access-token-management/test/AccessTokenManagement.Tests/ClientTokenManagementTests.cs b/access-token-management/test/AccessTokenManagement.Tests/ClientTokenManagementTests.cs
@@ -67,21 +67,29 @@ public async Task Missing_client_id_throw_exception()
     [Fact]
     public async Task Missing_client_secret_throw_exception()
     {
+
+        var mockedRequest = mockHttp.Expect("/connect/token")
+            .Respond(_ => Some.TokenHttpResponse());
+
+        services.AddHttpClient(ClientCredentialsTokenManagementDefaults.BackChannelHttpClientName)
+            .ConfigurePrimaryHttpMessageHandler(() => mockHttp);
+
         services.AddClientCredentialsTokenManagement()
             .AddClient("test", client =>
             {
                 client.TokenEndpoint = new Uri("https://as/connect/token");
-                client.ClientId = ClientId.Parse("test");
+                client.ClientId = The.ClientId;
                 client.ClientSecret = null;
             });
 
         var provider = services.BuildServiceProvider();
         var sut = provider.GetRequiredService<IClientCredentialsTokenManager>();
 
-        var action = async () => await sut.GetAccessTokenAsync(ClientCredentialsClientName.Parse("test"));
+        var token = await sut.GetAccessTokenAsync(ClientCredentialsClientName.Parse("test")).GetToken();
+        mockHttp.VerifyNoOutstandingExpectation();
+
+        token.ShouldBeEquivalentTo(Some.ClientCredentialsToken());
 
-        (await Should.ThrowAsync<OptionsValidationException>(action))
-            .Message.ShouldContain("ClientId");
     }
 
     [Fact]

Original file line number	Diff line number	Diff line change
`@@ -95,11 +95,6 @@ public ValidateOptionsResult Validate(string? name, ClientCredentialsClient opti`
`95`	`95`	`errors.Add($"{nameof(options.TokenEndpoint)} cannot be null for {subject}");`
`96`	`96`	`}`
`97`	`97`
`98`		`- if (options.ClientSecret == null)`
`99`		`- {`
`100`		`- errors.Add($"{nameof(options.ClientSecret)} cannot be null for {subject}");`
`101`		`- }`
`102`		`-`
`103`	`98`	`if (errors.Any())`
`104`	`99`	`{`
`105`	`100`	`return ValidateOptionsResult.Fail(errors);`