Recently we had an app break because of the following reasons:
version 4.4.0 was released with the following changelog message: Backport security fix from 5.x for token revocation when using public clients
we applied the security fix knowing revocation wasn't an issue for our use case
the security fix went to production without deep testing
Android users started complaining, iOS users were fine
after reverting and debugging we noticed a difference between the two: Android clients didn't send the client secret, iOS did
the security fix set confidential to true which seems to disable clients without client secret
Setting it to false fixed the issue.
My question is: shouldn't a breaking change like this be clearer?
The changelog doesn't mention it, the upgrade guide says to add the migration but it doesn't clearly state: "hey, the default will break clients without client secret key"
Expected behavior
Either the default should change or the documentation should be clearer about this change.
I just read this old issue report that might be relevant. Sometimes backports introduce breaking changes that aren't foreseen :D
Consider defaulting Application.confidential to false #1142
Recently we had an app break because of the following reasons:
Backport security fix from 5.x for token revocation when using public clients
Setting it to false fixed the issue.
My question is: shouldn't a breaking change like this be clearer?
The changelog doesn't mention it, the upgrade guide says to add the migration but it doesn't clearly state: "hey, the default will break clients without client secret key"
Expected behavior
Either the default should change or the documentation should be clearer about this change.
Thank you
Wow, that is a subtle breaking change!