oidcc icon indicating copy to clipboard operation
oidcc copied to clipboard
verified publisher icon erlef

'None' authentication method for authorization code flow with PKCE?

Open Nezteb opened this issue 1 year ago • 1 comments

Description

According to the docs, there are four supported authentication methods: client_secret_basic, client_secret_post, client_secret_jwt, and private_key_jwt.

As such, all functions in Oidcc require both a client ID and client secret, such as: https://hexdocs.pm/oidcc/Oidcc.Token.html#retrieve/3

Is it possible to support not providing a client secret so that the client can still fetch and exchange access tokens?

Nezteb avatar Aug 27 '24 18:08 Nezteb

@Nezteb Supporting none wasn't something I considered to implement since the library doesn't currently offer any hybrid / implicit flows.

I'm however open to support them if you or anyone else wants to do a PR:

We can allow :unauthenticated to be passed to all functions that accept a client secret. This is already possible on all functions operating on a client context: https://hexdocs.pm/oidcc/Oidcc.ClientContext.html#t:unauthenticated_t/0

maennchen avatar Sep 03 '24 14:09 maennchen