-
|
I understand that most people will simply use Authorization Code flow w/ client id + secret, but the PKCE extension + RS256 exists for a reason and my OCD just can't accept the fact that I have to inject the client secret (ugh). I'm sure you're much more aware of the OIDC protocol than I am, but it IS pretty obvious that the Authorization Code + PKCE is widely regarded & used as a way to securely implement OIDC RP without exposing (or even using the client secret). If you don't want to budge, I understand, but could you at least show me a way I can rely on client_secret-less Authorization Code flow w/ PKCE? Thanks EditBut honestly, I think this is a bug, and that Edit 2In fact, when I just set |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
It doesn't. Use of PKCE has no impact on what client authentication mechanism the client uses. All it takes is to configure your client's token_endpoint_auth_method. |
Beta Was this translation helpful? Give feedback.
-
|
Hmm, I’ll investigate my IdP further and report back. |
Beta Was this translation helpful? Give feedback.
-
|
This is both client and server side configuration that should be in sync. |
Beta Was this translation helpful? Give feedback.
-
|
Setting it to "none" worked. In fact, it's the ONLY configuration that makes sense given that I'm not sending any sort of client secret or cert to the endpoint. Issue solved, but would love for this to be documented for anyone who's trying to do AC flow secret-less :) Thanks |
Beta Was this translation helpful? Give feedback.
Setting it to "none" worked. In fact, it's the ONLY configuration that makes sense given that I'm not sending any sort of client secret or cert to the endpoint.
Issue solved, but would love for this to be documented for anyone who's trying to do AC flow secret-less :) Thanks