Identityserver4: Hybrid flow with PKCE Questions

Created on 1 Dec 2017  路  3Comments  路  Source: IdentityServer/IdentityServer4

I have a couple of questions about using Hybrid flow with PKCE:

  1. I know that section 8.5 of the OAuth 2.0 for Native Apps spec (https://www.rfc-editor.org/rfc/rfc8252.txt) says "it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret". I noticed that identity requires the client secret on the token endpoint even when PKCE is in use. Is this due to some newer information since that RFC was written? The downsides of requiring it that I can think of are:
  2. You force the burden of secret generation when registering the client
  3. You expose the client secret to native apps possibly without adding much value - not sure. This could be an issue if you ever allowed the same client to use client credentials and hybrid (hopefully you wouldn't for public clients).
  4. It becomes more difficult to determine if a client is a Public Client that happens to have a secret since we don't have a client property to say what type of app they are or whether they are public vs. confidential.
  5. I'm also curious if you would ever use Hybrid with PKCE on a MVC style application where the token endpoint would be called from a secured server. Is this just overkill? I only ever see PKCE advocated for public clients.

Thanks!

question
Source
picture agilenut

Most helpful comment

Thanks Dominick! Can鈥檛 believe I didn鈥檛 see that option.

I鈥檓 going to interpret that response to mean

  • The recommendation from the OAuth 2 for Native Apps spec is still valid
  • There is no reason to do PKCE on an MVC style app thus the need to separately configure the clients with / without a client secret depending on the client.
picture agilenut on 2 Dec 2017
👍2

All 3 comments

Set RequireClientSecret to false.

leastprivilege picture leastprivilege on 1 Dec 2017
👍1

Thanks Dominick! Can鈥檛 believe I didn鈥檛 see that option.

I鈥檓 going to interpret that response to mean

  • The recommendation from the OAuth 2 for Native Apps spec is still valid
  • There is no reason to do PKCE on an MVC style app thus the need to separately configure the clients with / without a client secret depending on the client.
agilenut picture agilenut on 2 Dec 2017
👍2

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 14 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mackie1001 picture mackie1001  路  3Comments
eshorgan picture eshorgan  路  3Comments
aborderon picture aborderon  路  3Comments
leksim picture leksim  路  3Comments
leastprivilege picture leastprivilege  路  3Comments