refined-iron-83200
10/25/2021, 8:00 PM<http://127.0.0.1:3000/callback?code=omYqVFrO75479o0GokWrthFn83S4xzYEH_HuOFprOJ4.qL[…]scope=openid+offline&state=444755-a304-0ee3-bac4-e644e2b54c72>
I would like to call <http://127.0.0.1:4444/oauth2/token>
to get an access token and refresh token. This specific call requires to pass the base64 encoded client_id and client_secret as a basic auth + grant_type, code and redirect_uri in the body. Since obviously I don't want to expose my client_secret in the front end code, should my frontend call a backend endpoint that I make that contains the client_secret and that specific backend calls hydra? What is the recommended approach here? Thank youlimited-tent-11422
10/25/2021, 8:06 PM/callback
and exchange code for tokens. The server then has to do something with these tokens (e.g. store them in session) and redirect user to another page. You can use state
param to actually specify where you want server to redirect after /callback
is handled.
If your /callback
is public route which you handle on frontend you have to use the public client (one without client secret).refined-iron-83200
10/25/2021, 8:10 PMPOST <http://127.0.0.1:4445/clients>
{
"client_id": "client-7",
"endpoint": "<http://127.0.0.1:4445>",
"redirect_uris": [
"<http://127.0.0.1:3000/dashboard>"
],
"response_types": [
"code",
"id_token"
],
"grant_types": [
"authorization_code",
"refresh_token"
]
}
limited-tent-11422
10/25/2021, 8:14 PMtoken_endpoint_auth_method
set to none
, this will allow you to exchange code for tokens with only client_id
and will not generate client secretrefined-iron-83200
10/25/2021, 8:53 PM<http://abc1234-url.com/home|abc1234-url.com/home>
or just passing the page to redirect <http://url.com/home|url.com/home>
is secure enough?great-doctor-2629
10/27/2021, 6:27 AMlimited-tent-11422
10/27/2021, 10:57 AMrefined-iron-83200
10/27/2021, 3:32 PM