highbyte
commented
6 years ago Issue was fixed in the mattmorg55/Owin.Security.Keycloak fork that works with Keycloak v3.2.
mattmorg55/Owin.Security.Keycloak#4
Open highbyte opened 6 years ago
highbyte
commented
6 years ago Issue was fixed in the mattmorg55/Owin.Security.Keycloak fork that works with Keycloak v3.2.
mattmorg55/Owin.Security.Keycloak#4
I have a Keycloak client configured like this
In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.
https://mydomain/auth/realms/testrealm/protocol/openid-connect/auth?redirect_uri=http:%2F%2Flocalhost:1234%2Fowin%2Fsecurity%2Fkeycloak%2FTestKeycloakCookieAuth%2Fcallback&response_type=code&scope=openid&state=oidc_state_8f5c9780e2b0462eb9883ff102f9370a&client_id=testclient&client_secret=1a111c11-aaa1-11aa-1a11-1a111111a1a1
Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?
https://github.com/dylanplecki/KeycloakOwinAuthentication/blob/d80b836de0f1048633ec1feee313b84aa2882926/src/KeycloakIdentityModel/Utilities/OidcDataManager.cs#L292-L293