Hey everyone, in the authorization code flow after...
# talk-hydra
Hey everyone, in the authorization code flow after the consent is accepted and the user is redirected to
I would like to call
to get an access token and refresh token. This specific call requires to pass the base64 encoded client_id and client_secret as a basic auth + grant_type, code and redirect_uri in the body. Since obviously I don't want to expose my client_secret in the front end code, should my frontend call a backend endpoint that I make that contains the client_secret and that specific backend calls hydra? What is the recommended approach here? Thank you
Your server should handle the
and exchange code for tokens. The server then has to do something with these tokens (e.g. store them in session) and redirect user to another page. You can use
param to actually specify where you want server to redirect after
is handled. If your
is public route which you handle on frontend you have to use the public client (one without client secret).
Thanks @limited-tent-11422, is there a way to specify that we want to use a public client on the generation of it?
Copy code
  "client_id": "client-7",
  "endpoint": "<>",
  "redirect_uris": [
  "response_types": [
  "grant_types": [
you can use
set to
, this will allow you to exchange code for tokens with only
and will not generate client secret
🙌 1
Oh! I'll try that out. Thank you for helping 👍
👍 1
A question regarding the state, do you include a randomized number with it
or just passing the page to redirect
is secure enough?
@refined-iron-83200 you should use PKCE with public clients (https://oauth.net/2/pkce/). With PKCE you don’t need the state either.
It is not like you don’t need a state with PKCE, it is just you can use it as intended to maintain some state. With PKCE you don’t need a random part of the state.
Perfect, that helps a lot. I'll add PKCE and pass the redirection url in the state. Thanks again