Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret
The DynamicClientRegistrationController#register action hard-codes confidential: false when creating applications (dynamic_client_registration_controller.rb:18-25), yet the response includes a client_secret and advertises token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"]. Because Doorkeeper's Application.by_uid_and_secret treats a blank/missing secret as valid for non-confidential (public) clients, an attacker who knows only the client_id (which is public information) can authenticate as the dynamically-registered client at the token endpoint. Note that Dynamic Client Registration is opt-in feature which is disabled by default so only …