Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret
🔗 CVE IDs covered (1)
📋 Description
Impact
The DynamicClientRegistrationController#register action hard-codes confidential: false when creating applications (dynamic_client_registration_controller.rb:18-25), yet the response includes a client_secret and advertises token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"].
Because Doorkeeper's Application.by_uid_and_secret treats a blank/missing secret as valid for non-confidential (public) clients, an
attacker who knows only the client_id (which is public information) can authenticate as the dynamically-registered client at the token endpoint.
Note that Dynamic Client Registration is opt-in feature which is disabled by default so only projects that explicitly enabled it are affected.
Steps to Reproduce
- Enable dynamic client registration in the initializer
- POST /oauth/registration with client_name, redirect_uris, and scope
- Observe: response returns client_secret, but the created Doorkeeper::Application has confidential: false
- Call
Doorkeeper::Application.by_uid_and_secret(client_id, nil)— it returns the application (credentials bypass) - POST /oauth/token with grant_type=client_credentials and only client_id (no client_secret) — the token endpoint issues an access token without any secret verification
Patches
Patched in 1.10.0
Workarounds
Upgrade existing applications created with a Dynamic Client registration to have confidential: true
🎯 Affected products1
- rubygems/doorkeeper-openid_connect:= 1.9.0