client_secret required with PKCE
fpue opened this issue · 5 comments
I am currently switching to the Authorization Code Grant with PKCE, but when I try calling the signinCallback() method after the redirect, I get the following error: "Error: A client_secret is required.". Which is weird since PKCE should work without secret.
How can I fix this?
Here's my current config:
const settings: UserManagerSettings = {
authority: 'iamthe.authority',
client_authentication: 'client_secret_basic',
client_id: 'clientid_would_be_here',
loadUserInfo: true,
redirect_uri: `${window.location.origin}/signin-callback`,
silent_redirect_uri: `${window.location.origin}/signin-callback`,
post_logout_redirect_uri: `${window.location.origin}/logged-out`,
response_type: 'code',
scope: 'openid',
metadata: {...}
};Tested on versions: 3.0.0-rc0 and 3.0.1
Happy to share any information that may be useful to fix this.
Most probably a configuration problem on your IdP side and not on client side.
To fix: double check your IdP config...
I digged further into the code and I think it's these lines of code. Is there a reason for basic requiring a secret, while post doesn't?
I digged further into the code and I think it's these lines of code. Is there a reason for basic requiring a secret, while post doesn't?
That code path is only taken if settings.client_authentication is set. Which you do, I oversight it the first time sorry. Do not set this for code flow with PKCE...
But my IdP only supports basic. Switching IdP is currently not an option, so this ticket now is more a feature request than a question.
Please add the ability to use client_authentication: 'client_secret_basic' and PKCE at the same time.
But my IdP only supports basic.
Then you need a secret client side...