Open riaadh opened 5 days ago
Hi @riaadh,
Yes, it's possible to use authorization code flow without PKCE enabled.
In your client entity configuration (in Identity Server) you'll want to set the RequirePkce
property to false
.
PKCE may still be used if your client application is configured to use it, even if RequirePkce
is false
.
It looks like Power Pages only use OpenID Connect to sign in and not to receive or use any access tokens. In that case you might as well use the implicit flow and not use the code flow at all.
The implicit flow requires a nonce. For a web application that does not access APIs, that will (as far as I remember) provide the same protection as PKCE does for the code flow.
Hello, We are trying to connect Microsoft power pages to duende identity server. From their documentation they only support this flows : https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider
So my question is it possible in identity server to use the Authorisation code without PKCE? or can you recommand me a flow compatible both Identity server and the power pages supported flows.
Thank you for your help.