alukach
commented
2 weeks ago Push back if I'm misunderstanding this, but I worry that this won't be the appropriate fix for public clients like a SPA frontend. I don't believe that you will be able to establish an appropriate level of trust with a public client before sending a client secret.
The Authorization Code Flow w/ PKCE operates without a client_secret value. Rather than exchanging the authorization code + client secret (as is the case in standard Authorization Code Flow), a public client can instead send the authorization code + the generated code verifier. This way, no client secret is ever exposed to the frontend.
Mitigate VEDA client secret exposure in SPAs by securely retrieving it from a backend endpoint