app without client_secret (still) not working?
n2ygk opened this issue · comments
I'm trying to achieve an Authorization Code with PKCE flow and public client for a Single Page web App (that can't keep a client_secret safe). I am using the latest release 2.4.0 but having the same issue described above.
- I register a new app with
Client type = Public
Grant type = Authorization code
andAlgorithm = RSA 256
(because I'm using OIDC) - screenshot below - When I include the Client Secret in Postman, I get both the code and token correctly ✅
- When I omit the Client Secret, I get the code returned OK but the "POST /o/token/ returns 401 and gives me "Error: invalid_client" ❌
- I've tried with both
PKCE_REQUIRED
true and false
@n2ygk do you (or anyone else) have any ideas as to what I might be doing wrong?
Originally posted by @s1monj in #1092 (comment)
@s1monj the testapp2 screenshot shows a client secret. Are you sure it's blank?
@n2ygk ahhhhh can't believe I didn't try that! That was all I needed thanks! I guess because the Client Secret is auto-populated by the UI, I was in the mindset that every app has a client secret, and it's just up to the "Client type" to determine if the client must send it or not. I never thought of saving a blank secret, and now it makes total sense. Really appreciate your help with this!
Phew. Glad that's all it was.