`client_secret` should be optional with authorization_code + PKCE flow

[lanwen]

Since this flow is intended to be adopted by native and web apps, most of the services (such as auth0 for instance) allow to omit client_secret, as it's anyway insecure.

Would be nice to have it as a config option or a way to override

[laduke]

did you find a workaround?

[lanwen]

@laduke Yes, I had to fork it https://github.com/oauth2-proxy/mockoidc/compare/main...lanwen:mockoidc:client-secret-ignore

[rendicott]

I was just tacking on client_secret into my token exchange request arbitrarily in my redirect handler to get around this.

func testDirectedHandler(w http.ResponseWriter, r *http.Request) {
    var httpCookies []*http.Cookie
    cookieNonce, err := r.Cookie(cookieNameNonce)
    if err != nil {
        w.WriteHeader(http.StatusInternalServerError)
        w.Write([]byte("error getting nonce cookie"))
        return
    }
    cookiePkce, err := r.Cookie(cookieNamePkce)
    if err != nil {
        w.WriteHeader(http.StatusInternalServerError)
        w.Write([]byte("error getting pkce cookie"))
        return
    }
    httpCookies = append(httpCookies, cookieNonce)
    httpCookies = append(httpCookies, cookiePkce)
    rauT := fmt.Sprintf("http://%s%s?%s&client_secret=%s",
        r.URL.Host,
        r.URL.Path,
        r.URL.RawQuery,
        testDirectedClientSecret,
    )
    rau, err := url.Parse(rauT)
    if err != nil {
        w.WriteHeader(http.StatusInternalServerError)
        w.Write([]byte("error parsing directed request URL"))
        return
    }

    cookieAccessToken, _, err := testDirectedAuthenticator.ValidateURLAndExchangeToken(
        rau, // give the URL path to be parsed
        httpCookies,
    )
...