how to handle client-secret store on backend java spring boot

[wanggewg]

I am testing auth code flow with PKCE as Authorization Code Grant with Proof Key for Code Exchange (PKCE)

I have tried to put client_id and client_secret on spa page. everything works fine. but that definitely not safe. If I want to store client_secret on backend spring boot application. what should I do ?

[pamapa]

With PKCE you do not need a client secret...

[wanggewg]

Thank you for your response!

Our AS request client secret, without secret , it will return 401 . { "error_description": "Invalid client or client credentials.", "error": "invalid_client" } if I put secret in the config, then everything are fine, but we don't allow to put secret on javascript.

if oidc-client-js allow to manually separate code flow and authroize-code flow might help. by the way , I really like this library. just did not figured out how to customize it to my needs.

[zach-betz-hln]

@wanggewg As mentioned, PKCE intentionally does not need a client_secret. Your identity provider should support this.

If for some reason they don't support it, as you alluded you, you'll have to workaround it, which is outside the scope of this issue.

But if it helps you in your investigation of workarounds, I've seen folks intercept the POST /authenticate call, either with a reverse proxy or dedicated backend endpoint, append the client_secret to the request body, send it to the identity provider, then forward the response to the SPA.