In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.
Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?
I have a Keycloak client configured like this
In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.
https://mydomain/auth/realms/testrealm/protocol/openid-connect/auth?redirect_uri=http:%2F%2Flocalhost:1234%2Fowin%2Fsecurity%2Fkeycloak%2FTestKeycloakCookieAuth%2Fcallback&response_type=code&scope=openid&state=oidc_state_8f5c9780e2b0462eb9883ff102f9370a&client_id=testclient&client_secret=1a111c11-aaa1-11aa-1a11-1a111111a1a1
Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?
https://github.com/dylanplecki/KeycloakOwinAuthentication/blob/d80b836de0f1048633ec1feee313b84aa2882926/src/KeycloakIdentityModel/Utilities/OidcDataManager.cs#L292-L293