Merge pull request #670 from DuendeSoftware/brock/allow_empty_secret_…

…in_idp

Allow empty secret when validating OIDC IDP config

src/IdentityServer/Validation/Default/DefaultIdentityProviderConfigurationValidator.cs

@@ -76,14 +76,6 @@ protected virtual Task ValidateOidcProviderAsync(IdentityProviderConfigurationVa
         {
             context.SetError("ResponseType is missing.");
         }
-        else
-        {
-            var parts = context.IdentityProvider.ResponseType.Split(' ', StringSplitOptions.RemoveEmptyEntries).Distinct();
-            if (parts.Contains(IdentityModel.OidcConstants.ResponseTypes.Code) && String.IsNullOrWhiteSpace(context.IdentityProvider.ClientSecret))
-            {
-                context.SetError("ClientSecret is missing.");
-            }
-        }
 
         if (String.IsNullOrWhiteSpace(context.IdentityProvider.Scope))
         {

test/IdentityServer.UnitTests/Validation/IdentityProviderConfigurationValidation.cs

@@ -124,8 +124,9 @@ public async Task missing_clientid_should_fail()
 
     [Fact]
     [Trait("Category", Category)]
-    public async Task missing_secret_should_fail()
+    public async Task missing_secret_should_be_allowed()
     {
+        // we allow no secret because they might pull it from somewhere else
         var idp = new OidcProvider
         {
             Scheme = "scheme",
@@ -139,8 +140,7 @@ public async Task missing_secret_should_fail()
         var ctx = new IdentityProviderConfigurationValidationContext(idp);
         await _validator.ValidateAsync(ctx);
 
-        ctx.IsValid.Should().BeFalse();
-        ctx.ErrorMessage.ToLowerInvariant().Should().Contain("clientsecret");
+        ctx.IsValid.Should().BeTrue();
     }
 
     [Fact]