1
Give developers the option to disable non-PKCE flows on a per-client basis
M
MoritzJan 21, 2024
The problem seems to be that a client has its Client Secret set. If I use this secret in my development environment, everything works. But because this is a PWA, I cannot share the client secret in production.
Even though it is ok to expose the client secret, becauseThe PKCE code_verifier ensures that no interception of the code can occur.
My concern would be a scenario where a bad actor took the now-exposed client_secret and found a way to maliciously construct a non-PKCE flow from my domain.
Kommentare
Es hat noch niemand diesen Beitrag kommentiert.