Replies: 2 comments
-
using PKCE makes dealing with public clients more secure but it is also perfectly fine to use it with confidential clients, which should be the default for web clients like mod_auth_openidc; there's no reason to make mod_auth_openidc as a public client since it can keep a secret |
Beta Was this translation helpful? Give feedback.
0 replies
-
Thank you for your answer!
Le ven. 20 janv. 2023 à 17:15, Hans Zandbelt ***@***.***> a
écrit :
… using PKCE makes dealing with public clients more secure but it is also
perfectly fine to use it with confidential clients, which should be the
default for web clients like mod_auth_openidc; there's no reason to make
mod_auth_openidc as a public client since it can keep a secret
—
Reply to this email directly, view it on GitHub
<#993 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5NL76QFW3EETJDTTYQ5TTWTK2ZJANCNFSM6AAAAAAUBV4MYQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
First all, thanks for this great open source project!
For my use case, i configure the module with Auth code + PKCE, but i faced an error that i fixed by configuring the OIDCProviderTokenEndpointAuth to none.
Following your documentation the value of OIDCProviderTokenEndpointAuth "When not defined the default method from the specification is used, i.e. "client_secret_basic"".
But when we are using PKCE there is no secret, so auth to token endpoint should be none.
My question is: The default value for OIDCProviderTokenEndpointAuth when PKCE is used should not be none ?
Thanks for your answer
Khaled HAMLAOUI
Beta Was this translation helpful? Give feedback.
All reactions