search

authts / oidc-client-ts

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
https://authts.github.io/oidc-client-ts/
Apache License 2.0
1.34k stars 199 forks source link

client_secret required with PKCE #1438

Open fpue opened 6 months ago

fpue commented 6 months ago

I am currently switching to the Authorization Code Grant with PKCE, but when I try calling the signinCallback() method after the redirect, I get the following error: "Error: A client_secret is required.". Which is weird since PKCE should work without secret. How can I fix this?

Here's my current config:

const settings: UserManagerSettings = {
      authority: 'iamthe.authority',
      client_authentication: 'client_secret_basic',
      client_id: 'clientid_would_be_here',
      loadUserInfo: true,
      redirect_uri: `${window.location.origin}/signin-callback`,
      silent_redirect_uri: `${window.location.origin}/signin-callback`,
      post_logout_redirect_uri: `${window.location.origin}/logged-out`,
      response_type: 'code',
      scope: 'openid',
      metadata: {...}
    };

Tested on versions: 3.0.0-rc0 and 3.0.1

Happy to share any information that may be useful to fix this.

pamapa commented 6 months ago

Most probably a configuration problem on your IdP side and not on client side.

To fix: double check your IdP config...

fpue commented 6 months ago

I digged further into the code and I think it's these lines of code. Is there a reason for basic requiring a secret, while post doesn't?

https://github.com/authts/oidc-client-ts/blob/14168c006c3073be00580d8253f882dad36658f9/src/TokenClient.ts#L109C12-L115C23

pamapa commented 6 months ago

I digged further into the code and I think it's these lines of code. Is there a reason for basic requiring a secret, while post doesn't?

https://github.com/authts/oidc-client-ts/blob/14168c006c3073be00580d8253f882dad36658f9/src/TokenClient.ts#L109C12-L115C23

That code path is only taken if settings.client_authentication is set. Which you do, I oversight it the first time sorry. Do not set this for code flow with PKCE...

fpue commented 6 months ago

But my IdP only supports basic. Switching IdP is currently not an option, so this ticket now is more a feature request than a question.

Please add the ability to use client_authentication: 'client_secret_basic' and PKCE at the same time.

pamapa commented 6 months ago

But my IdP only supports basic.

Then you need a secret client side...