According to OAuth2 spec, there are "Confidential" and "Public" clients, the difference is in that "Public" clients cannot store any secret safely (i.e. client_secret)
OpenId Connect spec, is based on OAuth2, so it follows the same Client Type distinction.
Now OpenId foundation has created a best practice implementation (SDK) for Android and iOS. So mobile Apps can use OpenID Connect to authenticate users.
These SDKs use the OAuth2 Authorization Code flow, however, since Mobile Apps are considered "Public" clients, the SDK makes the assumption that only the client_id is stored in the App.
So when the SDK tries to exchange the authorization_code for a access_token, the SDK does not authenticate using client_id AND client_secret.
So, here is the problem, in Apigee, the OAuth2 policy for GenerateAccessToken operation when using GrantType: authorization_code, requires authentication with client_id AND client_secret
Is there a way to modify this behavior?
Solved! Go to Solution.
Roberto, good question.
There is not a way to modify the behavior of the GenerateAccessToken or GenerateAuthorizationCode policy. However, there may be a ready and easy workaround.
Given the client_id, you could design the API proxy flow to perform this sequence:
Does this make sense?