From 992ead90a17e368129bed6750da2f90e9e720e80 Mon Sep 17 00:00:00 2001
From: Adam Heath <adam@polleverywhere.com>
Date: Fri, 17 Mar 2023 16:41:30 +0800
Subject: Block public clients automatic authorization skip

Non-confidential applications should not be able to skip the authorization stop, even if they have an existing matching_token.

From the [issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1589):
> According to RFC 8252 section 8.6, the authentication server should re-prompt for user consent, since the client's identity cannot be assured simply from the client_id parameter

Fixes https://github.com/doorkeeper-gem/doorkeeper/issues/1589
---
 app/controllers/doorkeeper/authorizations_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/doorkeeper/authorizations_controller.rb b/app/controllers/doorkeeper/authorizations_controller.rb
index 71dce31c..81445875 100644
--- a/app/controllers/doorkeeper/authorizations_controller.rb
+++ b/app/controllers/doorkeeper/authorizations_controller.rb
@@ -23,7 +23,7 @@ module Doorkeeper
     private
 
     def render_success
-      if skip_authorization? || matching_token?
+      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
         redirect_or_render authorize_response
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
-- 
2.30.2