Lastbuilders
Reputation: 79
Can I use IdentityServer3 Authorization Code Flow with PKCE and no client secret?
I am looking to extend our ID server instance to support mobile apps and wish to use Authorization Code Flow with PKCE. As this is a public client I do not wish to store the secret on the app but it appears ID3 requires a secret. Can anyone confirm this as if it is the case I may need to look at upgrading ID3 to ID4 which is going to be an issue with my timelines?
Kind Regards, Lastbuilders
Upvotes: 4
Views: 1064
Answers (1)
d_f
Reputation: 4859
Specifying a secret for a public client is not an issue with code + PKCE flow. In that case it's just a rudiment, hardly adding more security. That's why they introduced an option to switch it totally off.
Upvotes: 4
Related Questions
- OAuth Authorization Code Flow with PKCE on stateless backend
- How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret
- Do we need client_secret when using PKCE in OpenID connect authorization code flow?
- Can I use Authorization Code with PKCE Flow for mobile app?
- Securing Public APIs using Authorization Code flow in IdentityServer 4
- Secure asp.net core 3.1 authorization code flow with pkce
- IdentityServer Flows
- Should Authorization flow use both secret and PKCE for a Web app
- OAuth2: using PKCE instead of client_secret
- How to setup Identity Server 3 for IOS client using Authorization Code flow