Question

OpenID with required PKCE still expects a client_secret

  • 8 February 2024
  • 3 replies
  • 75 views

Badge +1

When I try to log in using the Authorization Code Flow with PKCE, I expect to be able to disable the client_secret, since we are using a SPA and do not want to expose it in the frontend. However, even with PKCE enabled, a client_secret still seems to be required, as shown in the following error message: "Client secret is required for authorization_code, but no client secret is configured."

Is it possible to configure the Indicium authorization server to not require a client_secret for public clients using PKCE?


3 replies

Userlevel 6
Badge +4

Hello @Pierius Lycklama A Nijeholt,

Is it possible to configure the Indicium authorization server to not require a client_secret for public clients using PKCE?

No, this is currently not possible. Indicium offers no OpenID flow that is suitable for public clients and since PKCE is not a replacement for a client secret (i.e. it provides no means of client authentication), it is not sufficient to make a client confidential.

Can you elaborate on why you would want or need to use OpenID for your use case?

Badge +1

Hello, @Vincent Doppenberg,

We are building an application where the user need to authenticate via the Thinkwise Platform. So they can see data associated with their account.
The redirect to the login and the token request take place on the front-end. We enabled PKCE, because the application is publicly available. We did this because, according to the OAuth2.0 this is supposed to be secure:

https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce

Userlevel 6
Badge +4

​Hello @Pierius Lycklama A Nijeholt,

We enabled PKCE, because the application is publicly available. We did this because, according to the OAuth2.0 this is supposed to be secure:

https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce

Yes, this is an accepted OAuth flow for public clients, but not one that we support at this moment. We only support flows for confidential clients, i.e. clients that can safely store a client secret.

We support PKCE on top of that because PKCE should not be seen as a replacement for a client secret for public clients, but rather a general security addition that is also recommended for confidential clients.

We can make the client secret optional (and enforce PKCE when empty) in order to support public clients as well, I would recommend creating an Idea for this.

We are building an application where the user need to authenticate via the Thinkwise Platform. So they can see data associated with their account.

In my previous answer I asked why you would need to use OpenID because it is not the only means of authentication via the Thinkwise Platform. And in particular, the flow for public clients doesn’t really have advantages over the standard cookie-based authentication.

Aside from OpenID, you have two more options:

  • Calling /account/api/login from your own login page and receiving the authentication cookie. You can see how this works by looking at the Universal GUI.
  • Using the login page of Indicium as a landing page and either specifying a ?returnUrl= in the querystring or configuring a default return URL at LoginOptions > ApplicationRedirectURL in the appsettings.json.

If your client application is limited to only OAuth-based authentication flows, then I understand that this is not an option.

Reply