This article is part of a series called Setting up an Authorization Server with OpenIddict. The articles in this series will guide you through the...
For further actions, you may consider blocking this person and/or reporting abuse
Hello guys!
I followed this guide but I noticed that the PKCE flow needs a client_secret to be accomplished. I was thinking the PKCE flow is just done to avoid exchange of client secret from a SPA to the Auth Server. Am I right? What can I do to avoid openiddict to ask for a client_secret?
First of all, Thanks to Robin for this amazing tutorial.
@skini82 , had you got any private answer to this issue?? I'm getting the same problem and I don't know how to configure Openiddict to avoid the client_secret validation in a "code flow + pkce" setting...
When my SPA client request the token(post to the token endpoint) with this parameters:
grant_type=authorization_code
&code=mgJkm0ivM******************CV6m6ZBGEKMLc598
&redirect_uri=redirect_uri
&code_verifier=MFVtUFZyRGVq**************VteFRpTncwUzB0OWlSRGM1
&client_id=security.***.dev
Openiddict , is validating the client_secret and respond with a :
OpenIddict.Server.OpenIddictServerDispatcher: Information: The token request was rejected because the confidential application 'security.*****.dev' didn't specify a client secret.
OpenIddict.Server.OpenIddictServerDispatcher: Information: The response was successfully returned as a JSON document: {
"error": "invalid_client",
"error_description": "The 'client_secret' parameter required for this client application is missing.",
"error_uri": "documentation.openiddict.com/error..."
}.
I'm a little confuse about this , for the same reason that you were
Any help is appreciated.
Thanks!
Ok...well....after days thinking about posting my question or not, a few minutes after I did it...I have found the solution: I realised than my App_client was configured as "confidential" (what I suppouse is intended for server-side apps or very confident environments). For a public spa the attribute *"Type" should be "public" *, in this way, Openiddict doesn't validate the client_secret...good to know
man, can't describe how much it helped me. i searched high and low before ran into your comment.
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = MyConstants.LibraryAngularApp,
Type = "public", // !!!
}
I'm glad to hear that!
OpenId has a constant for this :
Type = OpenIddictConstants.ClientTypes.Public,
Been wrapping my head around authentication code flow for years. This example clarifies many things for me.
When i call the userinfo i got this :
The userinfo request was rejected because the mandatory 'access_token' parameter was missing.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
The response was successfully returned as a challenge response: {
"error": "missing_token",
"error_description": "The mandatory 'access_token' parameter is missing.",
"error_uri": "documentation.openiddict.com/error..."
}.
I got same error "The mandatory 'access_token' parameter is missing.", but I understand where the problem is.
It's not enough to open
/connect/userinfo
address in browser. You should attach previously created token, so for/connect/userinfo
request you should send a 'GET' request with attached token via Postman!any fix ?
Very good solution now that identityserver is paid.
Question. As handling of various scopes.
I'm still going through the series and picking out how things will apply to my own setup, but I wanted to pause and thank you for a very well put together series on authentication. This may be the single best walkthrough I've found for configuring API authentication in core.
Registered just to say thank you for such an amazing article!
Thank you, very nice to hear that!
Very good article!