OpenIdDict 6 (03.12.2022 W) Flashcards
(4 cards)
Why client secret is optional during OpenIdDict application configuration?
Because there are public clients, that can’t store secret safely. For example browser or mobile application.
When you deal with such applications omit client secrets for them. And use an implicit flow or authentication code with PKCE. Last one is preferred. The fist one is obsolete.
Can you use client credentials flow with application, that have no client secret?
No, because client_secret is mandatory for client credentials flow.
Can you use just an authorization code flow for clients, that have no client secret?
Yes. But it’s recomended to use PKCE in such cases and more over enforce it for such clients by specifing Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange }, during client configuration.
Actually you can use it also for server applications (protected clients). So you can even require it gobally by doing options.AllowAuthorizationCodeFlow().RequireProofKeyForCodeExchange() during AddServer setup.
How PKCE works?
PKCE works by having the app generate a random value at the beginning of the flow called a Code Verifier. The app hashes the Code Verifier and the result is called the Code Challenge. The app then kicks off the flow in the normal way, except that it includes the Code Challenge in the query string for the request to the Authorization Server.
The Authorization Server stores the hashed value (the Code Challenge) for later verification and, after the user authenticates, redirects back to the app with an authorization code.
The app makes the request to exchange the code for tokens, only it sends the Code Verifier instead of a fixed secret. Now the Authorization Server can hash the Code Verifier and compare it to the hashed value it stored earlier. This is an effective, dynamic stand-in for a fixed secret. Assuming the hashed value matches, the Authorization Server will return the tokens.
