passport: Password Grant should not require client_secret

I’ve released version 8. Cheers for everyone’s patience. 👍

In Passport, omitting the client_secret will work but only if the oauth_client has a NULL secret value in the database. If the secret is set, to anything, it will require the client_secret to be passed. I’m assuming this is by design. This is not documented, however, and using artisan passport:client --password will automatically set a secret making this more of a hidden feature.

Just in case anyone is still following this issue, this will be possible in the next major version: https://github.com/laravel/passport/blob/d77c727fe7611ac69635ef436fca04a98ffee9af/tests/BridgeClientRepositoryTest.php#L77

Just tested this, and it seems the migrations set the secret column on oauth_clients to not allow null. For this to work, you need to manually add the Passport migrations, and set the column to be nullable.

Laravel version: 5.7.28 Passport Version: 7.2.0

@driesvints Got it. Was not aware it blocked PKCE support in Passport but I know of the changes in v8. Doesn’t change what the IETF recommendations are though.

Passport checks the client secret like so:

if ($mustValidateSecret &&                                                                                      
    ! hash_equals($record->secret, (string) $clientSecret)) {                                                   
    return;                                                                                                     
}         

If you don’t pass a client secret, the default value is null which is cast to a string above. That would become just a blank string. I’m assuming your secret in the database is also a blank string which is why your implementation is working.

At the moment though, I don’t think the library supports the passing of no secret at all officially.