The new update from Okta so need to use PKCE. We cannot use client secret for the new OIDC application any more.
"Use PKCE (for public clients)
Uses Proof Key for Code Exchange (PKCE) instead of a client secret. A one-time key is generated by the client and sent with each request. Instead of proving the identity of a client, this ensures that only the client which requested the token can redeem it."
When I try to configure OIDC plugin without client secret, I got error:
Hi team,
The new update from Okta so need to use PKCE. We cannot use client secret for the new OIDC application any more.
"Use PKCE (for public clients) Uses Proof Key for Code Exchange (PKCE) instead of a client secret. A one-time key is generated by the client and sent with each request. Instead of proving the identity of a client, this ensures that only the client which requested the token can redeem it."
When I try to configure OIDC plugin without client secret, I got error:
HTTP/1.1 400 Bad Request Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 175 Content-Type: application/json; charset=utf-8 Date: Thu, 22 Apr 2021 06:53:54 GMT Server: kong/2.3.0 X-Kong-Admin-Latency: 1
{ "code": 2, "fields": { "config": { "client_secret": "required field missing" } }, "message": "schema violation (config.client_secret: required field missing)", "name": "schema violation" }
Could I ask about your planning to support PKCE?
Best Regards