Re: Authorization Code Flow without client secret

Singleton · 09-27-2024 06:54 AM

Is there a possibility to use Authorization Code Flow without providing client secret?

I am trying to integrate Google login into my Blazor WASM application but my client library does not support client secret (I am using Microsoft.AspNetCore.Components.WebAssembly.Authentication).

Is there a way to make client secret non-mandatory in my auth flow? I tried generating credentials for UWP and Desktop app (since I found online that they are by default configured as public clients and do not require secret) but no luck.

mcbsalceda

Hi @Singleton,

Welcome to Google Cloud Community!

Blazor WebAssembly (WASM) apps are considered public clients because they run directly in users' browsers. For these apps, the go-to method for authentication is the Authorization Code Flow with Proof Key for Code Exchange (PKCE), which conveniently skips the need for a client secret. This setup is highly recommended for public clients.

So, what’s PKCE all about? It’s an OAuth extension designed to keep your authorization code safe from prying eyes. Here’s how it works: the public client generates a random string called a code verifier. This verifier is then used to create a code challenge, which gets sent to the authorization server when requesting the authorization code. When it’s time to exchange that code for an access token, the server checks the code challenge to ensure it matches what was originally sent. This way, only the public client that initiated the request can exchange the code for an access token, keeping things secure.

If you're curious and want to dive deeper into PKCE, check out this video.

I hope the above information is helpful.

djrenren

This response is incorrect with respect to Google's infrastructure. The spec for PKCE does not require a client_secret, but Google's implementation does. @mcbsalceda is there any information about Google lifting this requirement?

Camble

This is awful, and needs addressed as a priority.

umutdeveloper

I have created a Desktop app and it has client id and also client secret interestingly. I tried to use PKCE verification as you mentioned in the video but token endpoint gives "client_secret is missing" error even I send client_id, code and code_verifier parameters too. This PKCE implementation works for all other identity providers like Okta, Microsoft, etc. but only Google gives an error to me like "client_secret is missing". Could you please have a look for this ? Thanks.

dudleyspence

I also have this exact same issue. It is my understanding that PKCE should not need a client secret and this is how it is for all other oauth providers. I get the same error "client_secret is missing". In theory someone could reverse engineer my desktop app and so I can't risk including a secret in the code.

c-thiel

The OAuth2 spec distinguishes between "Confidential" and "Public" clients, the difference is in that "Public" clients cannot store any secret safely (i.e. client_secret).

Googles Identity Platform as of today does not support public applications under the "Web Application" profile. Flows always require a client_secret. As such, Googles Identity Platform is inferior to almost all other IdPs on the market. Even worse, google still advocates for the implicit flow, which is significantly less secure than Authorization Code Flow with PKCE. Due to this reason, mainstream client libararies such as `oidc-client-ts` don't support implicit flow anymore and are thus incompatible for SPA with Google Cloud. Multiple threads on this topic are available [here](https://github.com/authts/oidc-client-ts/issues/152).

Please google, fix your basics ASAP.