oauthutil: clear client secret if client ID is set #7809
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the purpose of this change?
When an external OAuth flow is being used (i.e. a client ID and an OAuth token are set in the config), a client secret should not be set. If one is, the server may reject a token refresh attempt.
But there's no way to clear out a backend's default client secret via configuration, since empty-string config values are ignored.
So instead, when a client ID is set, we should clear out any default client secret, since it wouldn't apply anyway.
Was the change discussed in an issue or in the forum before?
No - I was just debugging why my OAuth tokens weren't being refreshed correctly when using the Drive backend, and it led me here.
I did file #7825 for tracking purposes though.
Checklist