From 2ebc47170e3cacf18662ca066e38c6e3aaa03824 Mon Sep 17 00:00:00 2001
From: wangsijie <wangsijie@silverhand.io>
Date: Thu, 22 Aug 2024 13:54:47 +0800
Subject: [PATCH] fix(core): remove the requirement of secured app for PAT
 (#6493)

---
 .../core/src/oidc/grants/token-exchange/index.ts   |  8 +-------
 .../token-exchange/personal-access-token.test.ts   | 14 --------------
 2 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/packages/core/src/oidc/grants/token-exchange/index.ts b/packages/core/src/oidc/grants/token-exchange/index.ts
index c9f05940f..3805193bb 100644
--- a/packages/core/src/oidc/grants/token-exchange/index.ts
+++ b/packages/core/src/oidc/grants/token-exchange/index.ts
@@ -25,7 +25,7 @@ import { handleClientCertificate, handleDPoP, checkOrganizationAccess } from '..
 
 import { validateSubjectToken } from './account.js';
 import { handleActorToken } from './actor-token.js';
-import { TokenExchangeTokenType, type TokenExchangeAct } from './types.js';
+import { type TokenExchangeAct } from './types.js';
 
 const { InvalidClient, InvalidGrant } = errors;
 
@@ -67,12 +67,6 @@ export const buildHandler: (
     !(await isThirdPartyApplication(queries, client.clientId)),
     new InvalidClient('third-party applications are not allowed for this grant type')
   );
-  // Personal access tokens require secured client
-  assertThat(
-    params.subject_token_type !== TokenExchangeTokenType.PersonalAccessToken ||
-      client.tokenEndpointAuthMethod === 'client_secret_basic',
-    new InvalidClient('third-party applications are not allowed for this grant type')
-  );
 
   validatePresence(ctx, ...requiredParameters);
 
diff --git a/packages/integration-tests/src/tests/api/oidc/token-exchange/personal-access-token.test.ts b/packages/integration-tests/src/tests/api/oidc/token-exchange/personal-access-token.test.ts
index 13920aadd..ccd3009dd 100644
--- a/packages/integration-tests/src/tests/api/oidc/token-exchange/personal-access-token.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/token-exchange/personal-access-token.test.ts
@@ -140,20 +140,6 @@ describe('Token Exchange (Personal Access Token)', () => {
     expect(payload).toHaveProperty('sub', testUserId);
   });
 
-  it('should fail with non-secure client authentication method', async () => {
-    await expect(
-      oidcApi.post('token', {
-        headers: formUrlEncodedHeaders,
-        body: new URLSearchParams({
-          client_id: testApiResourceId,
-          grant_type: GrantType.TokenExchange,
-          subject_token: testToken,
-          subject_token_type: tokenType,
-        }),
-      })
-    ).rejects.toThrow();
-  });
-
   it('should fail with invalid PAT', async () => {
     await expect(
       oidcApi.post('token', {