DEV Community

Cover image for Setting up an Authorization Server with OpenIddict - Part IV - Authorization Code Flow

Setting up an Authorization Server with OpenIddict - Part IV - Authorization Code Flow

Robin van der Knaap on December 11, 2020

This article is part of a series called Setting up an Authorization Server with OpenIddict. The articles in this series will guide you through the...
Collapse
 
skini82 profile image
Dario Fraschini

Hello guys!
I followed this guide but I noticed that the PKCE flow needs a client_secret to be accomplished. I was thinking the PKCE flow is just done to avoid exchange of client secret from a SPA to the Auth Server. Am I right? What can I do to avoid openiddict to ask for a client_secret?

Collapse
 
salvagl profile image
salvagl

First of all, Thanks to Robin for this amazing tutorial.
@skini82 , had you got any private answer to this issue?? I'm getting the same problem and I don't know how to configure Openiddict to avoid the client_secret validation in a "code flow + pkce" setting...
When my SPA client request the token(post to the token endpoint) with this parameters:
grant_type=authorization_code
&code=mgJkm0ivM******************CV6m6ZBGEKMLc598
&redirect_uri=redirect_uri
&code_verifier=MFVtUFZyRGVq
**************VteFRpTncwUzB0OWlSRGM1
&client_id=security.
***.dev

Openiddict , is validating the client_secret and respond with a :

OpenIddict.Server.OpenIddictServerDispatcher: Information: The token request was rejected because the confidential application 'security.*****.dev' didn't specify a client secret.
OpenIddict.Server.OpenIddictServerDispatcher: Information: The response was successfully returned as a JSON document: {
"error": "invalid_client",
"error_description": "The 'client_secret' parameter required for this client application is missing.",
"error_uri": "documentation.openiddict.com/error..."
}.

I'm a little confuse about this , for the same reason that you were

Any help is appreciated.

Thanks!

Collapse
 
salvagl profile image
salvagl

Ok...well....after days thinking about posting my question or not, a few minutes after I did it...I have found the solution: I realised than my App_client was configured as "confidential" (what I suppouse is intended for server-side apps or very confident environments). For a public spa the attribute *"Type" should be "public" *, in this way, Openiddict doesn't validate the client_secret...good to know

Thread Thread
 
khomenmac profile image
Khomenko Max

man, can't describe how much it helped me. i searched high and low before ran into your comment.

await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = MyConstants.LibraryAngularApp,
Type = "public", // !!!
}

Thread Thread
 
salvagl profile image
salvagl

I'm glad to hear that!

Thread Thread
 
rezapouya profile image
Reza Pouya

OpenId has a constant for this :

Type = OpenIddictConstants.ClientTypes.Public,

Collapse
 
bluearth profile image
Barkah Yusuf

Been wrapping my head around authentication code flow for years. This example clarifies many things for me.

Collapse
 
zizounetgit profile image
zizounetgit

When i call the userinfo i got this :

The userinfo request was rejected because the mandatory 'access_token' parameter was missing.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
The response was successfully returned as a challenge response: {
"error": "missing_token",
"error_description": "The mandatory 'access_token' parameter is missing.",
"error_uri": "documentation.openiddict.com/error..."
}.

Collapse
 
mikhailcrimea profile image
Mikhail • Edited

I got same error "The mandatory 'access_token' parameter is missing.", but I understand where the problem is.
It's not enough to open /connect/userinfo address in browser. You should attach previously created token, so for /connect/userinfo request you should send a 'GET' request with attached token via Postman!

Collapse
 
tecno14 profile image
Wael Had

any fix ?

Collapse
 
borisgr04 profile image
borisgr04

Very good solution now that identityserver is paid.
Question. As handling of various scopes.

Collapse
 
nonsenseless profile image
nonsenseless

I'm still going through the series and picking out how things will apply to my own setup, but I wanted to pause and thank you for a very well put together series on authentication. This may be the single best walkthrough I've found for configuring API authentication in core.

Collapse
 
dubik profile image
dubik

Registered just to say thank you for such an amazing article!

Collapse
 
robinvanderknaap profile image
Robin van der Knaap

Thank you, very nice to hear that!

Collapse
 
hypervtechnics profile image
hypervtechnics

Very good article!