https://www.ory.sh/ logo
#talk-hydra
Title
# talk-hydra
r

refined-iron-83200

10/25/2021, 8:00 PM
Hey everyone, in the authorization code flow after the consent is accepted and the user is redirected to
<http://127.0.0.1:3000/callback?code=omYqVFrO75479o0GokWrthFn83S4xzYEH_HuOFprOJ4.qL[…]scope=openid+offline&state=444755-a304-0ee3-bac4-e644e2b54c72>
I would like to call
<http://127.0.0.1:4444/oauth2/token>
to get an access token and refresh token. This specific call requires to pass the base64 encoded client_id and client_secret as a basic auth + grant_type, code and redirect_uri in the body. Since obviously I don't want to expose my client_secret in the front end code, should my frontend call a backend endpoint that I make that contains the client_secret and that specific backend calls hydra? What is the recommended approach here? Thank you
l

limited-tent-11422

10/25/2021, 8:06 PM
Your server should handle the
/callback
and exchange code for tokens. The server then has to do something with these tokens (e.g. store them in session) and redirect user to another page. You can use
state
param to actually specify where you want server to redirect after
/callback
is handled. If your
/callback
is public route which you handle on frontend you have to use the public client (one without client secret).
r

refined-iron-83200

10/25/2021, 8:10 PM
Thanks @limited-tent-11422, is there a way to specify that we want to use a public client on the generation of it?
POST <http://127.0.0.1:4445/clients>
Copy code
{
  "client_id": "client-7",
  "endpoint": "<http://127.0.0.1:4445>",
  "redirect_uris": [
    "<http://127.0.0.1:3000/dashboard>"
  ],
  "response_types": [
    "code",
    "id_token"
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ]
}
l

limited-tent-11422

10/25/2021, 8:14 PM
you can use
token_endpoint_auth_method
set to
none
, this will allow you to exchange code for tokens with only
client_id
and will not generate client secret
🙌 1
r

refined-iron-83200

10/25/2021, 8:53 PM
Oh! I'll try that out. Thank you for helping 👍
👍 1
A question regarding the state, do you include a randomized number with it
<http://abc1234-url.com/home|abc1234-url.com/home>
or just passing the page to redirect
<http://url.com/home|url.com/home>
is secure enough?
g

great-doctor-2629

10/27/2021, 6:27 AM
@refined-iron-83200 you should use PKCE with public clients (https://oauth.net/2/pkce/). With PKCE you don’t need the state either.
l

limited-tent-11422

10/27/2021, 10:57 AM
It is not like you don’t need a state with PKCE, it is just you can use it as intended to maintain some state. With PKCE you don’t need a random part of the state.
r

refined-iron-83200

10/27/2021, 3:32 PM
Perfect, that helps a lot. I'll add PKCE and pass the redirection url in the state. Thanks again
3 Views