This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

OAuth2.0 Authorization Flow without Client Secret

Posted on 04-04-2018 03:30 PM
pradeepshanmugh
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

My use case is supporting Native Apps to talk to oAuth endpoints.

My research indicates that in such cases the recommended approach is not to use the client secret in a Basic Authorization Header when talking to the /token endpoint.

Instead to use a onetime code verifier and code challenge - known as the PKCE extension - through the flow.

My experience with Apigee is that the oAuthV2 policy does not work if there is no Basic Authorization header that has the base64(client_id:client_secret) when performing the GenerateToken / RefreshToken operations.

Can this restriction be turned off somehow?

0 4 1,932
Topic Labels
0 Likes
4 REPLIES 4
Top Solution Authors
View all