OpenID Connect `client_secret` should be optional #9212

tmortagne · 2021-01-23T11:19:11Z

I'm surprised to see client_secret documented as required since it's not really the case in the OIDC protocol even if it's definitely a good practice especially for big public providers which often do require it.

The text was updated successfully, but these errors were encountered:

richvdh · 2021-01-25T14:51:24Z

agreed. Happy to look at a PR which makes it optional.

richvdh · 2021-01-25T15:00:46Z

actually I can probably just do it as part of #9220

Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.

anoadragon453 added the T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks. label Jan 26, 2021

richvdh mentioned this issue Mar 4, 2021

JWT OIDC secrets for Sign in with Apple #9549

Merged

richvdh closed this as completed in #9549 Mar 9, 2021

richvdh added a commit that referenced this issue Mar 9, 2021

JWT OIDC secrets for Sign in with Apple (#9549)

eaada74

Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenID Connect `client_secret` should be optional #9212

OpenID Connect `client_secret` should be optional #9212

tmortagne commented Jan 23, 2021

richvdh commented Jan 25, 2021

richvdh commented Jan 25, 2021

OpenID Connect client_secret should be optional #9212

OpenID Connect client_secret should be optional #9212

Comments

tmortagne commented Jan 23, 2021

richvdh commented Jan 25, 2021

richvdh commented Jan 25, 2021

OpenID Connect `client_secret` should be optional #9212

OpenID Connect `client_secret` should be optional #9212