FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Using PKCE with Client Authentication Disabled

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    109
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      calumhall96
      last edited by

      When deploying an SPA, we want to use PKCE with the authorization code grant. However, we want our users to be able to utilise a refresh token for the duration of their sessions. Currently the only way that I can get this to work is by turning "Client Authentication" to "Not required" - instead of our current "Not required when using PKCE" setup.

      What is the recommended practice for setting up an SPA with the authorization_code and refresh_token grants? I believe that what we are doing is to spec (https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens). Would the recommendation here be to disable Client Authentication entirely? Or does that have its own risks?

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @calumhall96
        last edited by

        @calumhall96 I didn't want you to think no one was looking at your post. I am not familiar with this set up so it is going to take me a while to check it out. In the mean time, if anyone has any ides, please speak up.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post