Showing the client secret in the address bar has a security risk.
when I put the client secret as null that does not show in the browser but got the error: unauthorized_client: Client secret not provided in request. Can't we use a method like PEKC to authenticate? I think we don't need to expose the client secret in the clientside.
code:
try { OpenIdConnect.getConfiguration(defaultDiscoveryUrl) .then((value) async { final response = await OpenIdConnect.authorizeInteractive( context: context, title: "CC Login", request: await InteractiveAuthorizationRequest.create( clientId: defaultClientId, clientSecret: defaultClientSecret, redirectUrl: defaultRedirectUrl, scopes: defaultscopes, configuration: value, autoRefresh: false, useWebPopup: true, ), ); print(response?.accessToken); if (response?.accessToken != null && response?.refreshToken != null) { accessToken = response?.accessToken; refreshToken = response?.refreshToken; flush!.dismiss(); SecureDB.instance .writeRefreshToken(refreshTokenKey, refreshToken!); setState(() { isLocked = false; }); } }); } on Exception catch (e) { debugPrint(e.toString()); }
Showing the client secret in the address bar has a security risk. when I put the client secret as null that does not show in the browser but got the error: unauthorized_client: Client secret not provided in request. Can't we use a method like PEKC to authenticate? I think we don't need to expose the client secret in the clientside. code:
try { OpenIdConnect.getConfiguration(defaultDiscoveryUrl) .then((value) async { final response = await OpenIdConnect.authorizeInteractive( context: context, title: "CC Login", request: await InteractiveAuthorizationRequest.create( clientId: defaultClientId, clientSecret: defaultClientSecret, redirectUrl: defaultRedirectUrl, scopes: defaultscopes, configuration: value, autoRefresh: false, useWebPopup: true, ), ); print(response?.accessToken); if (response?.accessToken != null && response?.refreshToken != null) { accessToken = response?.accessToken; refreshToken = response?.refreshToken; flush!.dismiss(); SecureDB.instance .writeRefreshToken(refreshTokenKey, refreshToken!); setState(() { isLocked = false; }); } }); } on Exception catch (e) { debugPrint(e.toString()); }Project: Flutter website Flutter version: 3.10.0 dart version: 3.0.0 package: openidconnect: ^1.0.25