leastprivilege
commented
5 years ago Why?
Closed balajigunasekaran closed 5 years ago
leastprivilege
commented
5 years ago Why?
balajigunasekaran
commented
5 years ago 
IdentityServer4 v2.2.0
In my scenario, I have added a client with the shown AllowedGrantTypes which is Hybrid, Password and Delegation.
When using OidcCli for that client, am getting error showing "Unauthorized client", because of this code in AuthorizeRequestValidator.cs (Please ref. screenshot).
Also, I cannot add authorizationcode to the AllowedGrantTypes because Hybrid is already added(_might be because hybrid means both implicit & authorizationcode and it is not a allowed combination of AllowedGrantTypes).
Is it something basic that i understood wrongly? Please shed some light on this.
Thank you Dominick
leastprivilege
commented
5 years ago Not a simple answer.
My general recommendation is to use code + PKCE instead of hybrid.
https://identityserver4.readthedocs.io/en/latest/topics/grant_types.html
Here's an example how you can use PKCE from ASP.NET Core 2.x (it's built-in in 3.0)
https://github.com/leastprivilege/AspNetCoreSecuritySamples/tree/aspnetcore21/OidcCodePkce
While I could add hybrid in the CLI - there is the issue that you have to switch to form post response mode - which will give you a warning in some browser when posting from HTTPS to HTTP.
I tried with hybrid flow and it doesn't support it. I debugged and changed OidcClientOptions Flow and ResponseMode and then got it to work. Can you add support for hybrid flow?