Why does replaying auth code gives access to resources

[neodragonwarrior]

I believe Auth code grant flow is in use in the photoprint/gallery web application demo. I am sending response type=code in the request and in response , I am getting auth code, if I use this to access resources without providing client id+secret , am able to get access to resource pcitures .
Am I missing something here or is it a flaw there ?

[koenbuyens]

This is called vulnerable application :)

…

On Tue, Apr 6, 2021 at 5:50 AM arunkumarvenugopal ***@***.***> wrote: I believe Auth code grant flow is in use in the photoprint/gallery web application demo. I am sending response type=code in the request and in response , I am getting auth code, if I use this to access resources with providing client id+secret , am able to get access to resource pcitures . Am I missing something here or is it a flaw there ? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AECCSHHT6RPCACDHVSEN26LTHLKOHANCNFSM42OMOJZQ> .

[neodragonwarrior]

Yea I didn't forget that , but people tend to mistake it as Access token , where they actually replayed auth code , I saw youtube videos explaining Oauth flaws using this app that way .
Here auth code itself is enough to grant access is not that a common vulnerability I thought.
Anyways thanks much for the response , looking forward for more updates to this app , Great work