Using PKCE with Client Authentication Disabled
-
When deploying an SPA, we want to use PKCE with the authorization code grant. However, we want our users to be able to utilise a refresh token for the duration of their sessions. Currently the only way that I can get this to work is by turning "Client Authentication" to "Not required" - instead of our current "Not required when using PKCE" setup.
What is the recommended practice for setting up an SPA with the authorization_code and refresh_token grants? I believe that what we are doing is to spec (https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens). Would the recommendation here be to disable Client Authentication entirely? Or does that have its own risks?
-
@calumhall96 I didn't want you to think no one was looking at your post. I am not familiar with this set up so it is going to take me a while to check it out. In the mean time, if anyone has any ides, please speak up.
-
I can't speak to FusionAuth in particular, but when you have a public client you ideally don't want to use the client secret for anything, since SPAs / Mobile Apps / etc cannot keep a secret.
Edit: Found this Github issue marked as wontfix: https://github.com/FusionAuth/fusionauth-issues/issues/2173
If you do need a confidential client for something you should have a separate client for it.
So, my take would be that since you shouldn't be using that secret for anything you shouldn't need it to be required for any flow.
You also didn't ask this but you do want to have PKCE enabled for your SPA's client.