DEV Community

Discussion on: Setting up an Authorization Server with OpenIddict - Part IV - Authorization Code Flow

Collapse
 
skini82 profile image
Dario Fraschini

Hello guys!
I followed this guide but I noticed that the PKCE flow needs a client_secret to be accomplished. I was thinking the PKCE flow is just done to avoid exchange of client secret from a SPA to the Auth Server. Am I right? What can I do to avoid openiddict to ask for a client_secret?

Collapse
 
salvagl profile image
salvagl

First of all, Thanks to Robin for this amazing tutorial.
@skini82 , had you got any private answer to this issue?? I'm getting the same problem and I don't know how to configure Openiddict to avoid the client_secret validation in a "code flow + pkce" setting...
When my SPA client request the token(post to the token endpoint) with this parameters:
grant_type=authorization_code
&code=mgJkm0ivM******************CV6m6ZBGEKMLc598
&redirect_uri=redirect_uri
&code_verifier=MFVtUFZyRGVq
**************VteFRpTncwUzB0OWlSRGM1
&client_id=security.
***.dev

Openiddict , is validating the client_secret and respond with a :

OpenIddict.Server.OpenIddictServerDispatcher: Information: The token request was rejected because the confidential application 'security.*****.dev' didn't specify a client secret.
OpenIddict.Server.OpenIddictServerDispatcher: Information: The response was successfully returned as a JSON document: {
"error": "invalid_client",
"error_description": "The 'client_secret' parameter required for this client application is missing.",
"error_uri": "documentation.openiddict.com/error..."
}.

I'm a little confuse about this , for the same reason that you were

Any help is appreciated.

Thanks!

Collapse
 
salvagl profile image
salvagl

Ok...well....after days thinking about posting my question or not, a few minutes after I did it...I have found the solution: I realised than my App_client was configured as "confidential" (what I suppouse is intended for server-side apps or very confident environments). For a public spa the attribute *"Type" should be "public" *, in this way, Openiddict doesn't validate the client_secret...good to know

Thread Thread
 
khomenmac profile image
Khomenko Max

man, can't describe how much it helped me. i searched high and low before ran into your comment.

await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = MyConstants.LibraryAngularApp,
Type = "public", // !!!
}

Thread Thread
 
salvagl profile image
salvagl

I'm glad to hear that!

Thread Thread
 
rezapouya profile image
Reza Pouya

OpenId has a constant for this :

Type = OpenIddictConstants.ClientTypes.Public,