https://www.ory.sh/ logo
Join Slack
Powered by
Hey everyone, in the authorization code flow after...
# talk-hydra
r
Hey everyone, in the authorization code flow after the consent is accepted and the user is redirected to 
<http://127.0.0.1:3000/callback?code=omYqVFrO75479o0GokWrthFn83S4xzYEH_HuOFprOJ4.qL[…]scope=openid+offline&state=444755-a304-0ee3-bac4-e644e2b54c72>
I would like to call 
<http://127.0.0.1:4444/oauth2/token>
to get an access token and refresh token. This specific call requires to pass the base64 encoded client_id and client_secret as a basic auth + grant_type, code and redirect_uri in the body. Since obviously I don't want to expose my client_secret in the front end code, should my frontend call a backend endpoint that I make that contains the client_secret and that specific backend calls hydra? What is the recommended approach here? Thank you
l
Your server should handle the 
/callback
and exchange code for tokens. The server then has to do something with these tokens (e.g. store them in session) and redirect user to another page. You can use 
state
param to actually specify where you want server to redirect after 
/callback
is handled. If your 
/callback
is public route which you handle on frontend you have to use the public client (one without client secret).
r
Thanks @limited-tent-11422, is there a way to specify that we want to use a public client on the generation of it? 
POST <http://127.0.0.1:4445/clients>
Copy code
{
  "client_id": "client-7",
  "endpoint": "<http://127.0.0.1:4445>",
  "redirect_uris": [
    "<http://127.0.0.1:3000/dashboard>"
  ],
  "response_types": [
    "code",
    "id_token"
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ]
}
l
you can use 
token_endpoint_auth_method
set to 
none
, this will allow you to exchange code for tokens with only 
client_id
and will not generate client secret
🙌 1
r
Oh! I'll try that out. Thank you for helping 👍
👍 1
A question regarding the state, do you include a randomized number with it 
<http://abc1234-url.com/home|abc1234-url.com/home>
or just passing the page to redirect 
<http://url.com/home|url.com/home>
is secure enough?
g
@refined-iron-83200 you should use PKCE with public clients (https://oauth.net/2/pkce/). With PKCE you don’t need the state either.
l
It is not like you don’t need a state with PKCE, it is just you can use it as intended to maintain some state. With PKCE you don’t need a random part of the state.
r
Perfect, that helps a lot. I'll add PKCE and pass the redirection url in the state. Thanks again
4 Views
Open in Slack
PreviousNext
Powered by