Closed highbyte closed 6 years ago
I don't think this should be added to the params... The client secret should only be used to validate the JWT signature. Can you make the change and submit pull request?
Fixed in #4
Hey thanks for making that change... I published the new package 3.0.2.
No problem. Thanks for publishing a new package.
I have a Keycloak client configured like this
In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.
https://mydomain/auth/realms/testrealm/protocol/openid-connect/auth?redirect_uri=http:%2F%2Flocalhost:1234%2Fowin%2Fsecurity%2Fkeycloak%2FTestKeycloakCookieAuth%2Fcallback&response_type=code&scope=openid&state=oidc_state_8f5c9780e2b0462eb9883ff102f9370a&client_id=testclient&client_secret=1a111c11-aaa1-11aa-1a11-1a111111a1a1
Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?
https://github.com/mattmorg55/Owin.Security.Keycloak/blob/694601cc40ffd1d41242e77ca992765771baf61d/src/Keycloak.IdentityModel/Utilities/OidcDataManager.cs#L277-L278
Issue also reported in the original repo: dylanplecki/KeycloakOwinAuthentication#51