This repository has been archived by the owner on Mar 25, 2021. It is now read-only.
Question: Should client secret be part of authorization endpoint redirect URL? #51
Comments
|
Issue was fixed in the mattmorg55/Owin.Security.Keycloak fork that works with Keycloak v3.2. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I have a Keycloak client configured like this
- Standard (code) flow
- Client secret (access type: confidential)
In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.
https://mydomain/auth/realms/testrealm/protocol/openid-connect/auth?redirect_uri=http:%2F%2Flocalhost:1234%2Fowin%2Fsecurity%2Fkeycloak%2FTestKeycloakCookieAuth%2Fcallback&response_type=code&scope=openid&state=oidc_state_8f5c9780e2b0462eb9883ff102f9370a&client_id=testclient&client_secret=1a111c11-aaa1-11aa-1a11-1a111111a1a1
Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?
KeycloakOwinAuthentication/src/KeycloakIdentityModel/Utilities/OidcDataManager.cs
Lines 292 to 293 in d80b836
The text was updated successfully, but these errors were encountered: