You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have tried to put client_id and client_secret on spa page. everything works fine.
but that definitely not safe.
If I want to store client_secret on backend spring boot application.
what should I do ?
The text was updated successfully, but these errors were encountered:
Our AS request client secret, without secret , it will return 401 .
{
"error_description": "Invalid client or client credentials.",
"error": "invalid_client"
}
if I put secret in the config, then everything are fine, but we don't allow to put secret on javascript.
if oidc-client-js allow to manually separate code flow and authroize-code flow might help.
by the way , I really like this library. just did not figured out how to customize it to my needs.
@wanggewg As mentioned, PKCE intentionally does not need a client_secret. Your identity provider should support this.
If for some reason they don't support it, as you alluded you, you'll have to workaround it, which is outside the scope of this issue.
But if it helps you in your investigation of workarounds, I've seen folks intercept the POST /authenticate call, either with a reverse proxy or dedicated backend endpoint, append the client_secret to the request body, send it to the identity provider, then forward the response to the SPA.
I am testing auth code flow with PKCE as Authorization Code Grant with Proof Key for Code Exchange (PKCE)
I have tried to put client_id and client_secret on spa page. everything works fine.
but that definitely not safe.
If I want to store client_secret on backend spring boot application.
what should I do ?
The text was updated successfully, but these errors were encountered: