oidc-client-ts
oidc-client-ts copied to clipboard
authts
client_secret required with PKCE
I am currently switching to the Authorization Code Grant with PKCE, but when I try calling the signinCallback() method after the redirect, I get the following error: "Error: A client_secret is required.". Which is weird since PKCE should work without secret. How can I fix this?
Here's my current config:
const settings: UserManagerSettings = {
authority: 'iamthe.authority',
client_authentication: 'client_secret_basic',
client_id: 'clientid_would_be_here',
loadUserInfo: true,
redirect_uri: `${window.location.origin}/signin-callback`,
silent_redirect_uri: `${window.location.origin}/signin-callback`,
post_logout_redirect_uri: `${window.location.origin}/logged-out`,
response_type: 'code',
scope: 'openid',
metadata: {...}
};
Tested on versions: 3.0.0-rc0 and 3.0.1
Happy to share any information that may be useful to fix this.
Most probably a configuration problem on your IdP side and not on client side.
To fix: double check your IdP config...
I digged further into the code and I think it's these lines of code. Is there a reason for basic requiring a secret, while post doesn't?
https://github.com/authts/oidc-client-ts/blob/14168c006c3073be00580d8253f882dad36658f9/src/TokenClient.ts#L109C12-L115C23
I digged further into the code and I think it's these lines of code. Is there a reason for basic requiring a secret, while post doesn't?
https://github.com/authts/oidc-client-ts/blob/14168c006c3073be00580d8253f882dad36658f9/src/TokenClient.ts#L109C12-L115C23
That code path is only taken if settings.client_authentication is set. Which you do, I oversight it the first time sorry. Do not set this for code flow with PKCE...
But my IdP only supports basic. Switching IdP is currently not an option, so this ticket now is more a feature request than a question.
Please add the ability to use client_authentication: 'client_secret_basic' and PKCE at the same time.