Send client_id + client_secret in Authorization to TokenEndpoint #117
-
SummaryOur Authorization Server expects a Basic Auth header included when requests are made to TokenEndpoint. Please could you make this an option in the config, many thanks! Basic ExampleAuthorization=base64Encoded(client_id, cliend_secret)
DrawbacksWithout this feature, the lib will be incompatible with some Authorization Servers Unresolved questionsNo response Implementation PRNo response Reference IssuesNo response |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
This library only supports RFC-7636 and is not applicable to the authorization code flows that OAuth2 lays out in RFC-6749. ( using client secrets ) that you are requesting. The main concept at work here is that this is a "front end only" library that interacts directly with an authorization server to perform an authorization flow and get an access token. Being a front end only library there is no way to keep the client secret, well, secret! To meet this need, an extension to OAuth2, RFC-7636 "Proof Key for Code Exchange by OAuth Public Clients" was created. This library implements that specification. If you want to use authorization code flows using client secrets you need to make sure you are using a backend server that holds your client secret and coordinates the authorization. There are plenty of backend frameworks written in Javascript using Node that accomplish this if that is your goal. |
Beta Was this translation helpful? Give feedback.
This library only supports RFC-7636 and is not applicable to the authorization code flows that OAuth2 lays out in RFC-6749. ( using client secrets ) that you are requesting.
The main concept at work here is that this is a "front end only" library that interacts directly with an authorization server to perform an authorization flow and get an access token. Being a front end only library there is no way to keep the client secret, well, secret! To meet this need, an extension to OAuth2, RFC-7636 "Proof Key for Code Exchange by OAuth Public Clients" was created. This library implements that specification.
If you want to use authorization code flows using client secrets you need to make sure y…