Describe the problem
When set AUTH_CLIENT_SECRET variable it is exposed via js code without any auth.
To Reproduce
Set AUTH_CLIENT_SECRET variable, and download js file containing clientSecret with curl or any other download client.
Expected behavior
Request to token endpoint must be made by backend to the authorization server, not by the browser. Only backend should have the clientSecret, it should not be exposed to dashboard frontend.
A lot of IDP providers does not contains CORS headers for the token endpoint, authorization server expects token requests to be made by a backend server, not a browser.
Also we can use hybrid oidc flow. In this case dashboard can obtain ID tokens straight from the authorization endpoint via frontend, and refresh tokens from the token endpoint via backend.
https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth
Screenshots
Additional context
Add any other context about the problem here.
Describe the problem
When set AUTH_CLIENT_SECRET variable it is exposed via js code without any auth.
To Reproduce
Set AUTH_CLIENT_SECRET variable, and download js file containing clientSecret with curl or any other download client.
Expected behavior
Request to token endpoint must be made by backend to the authorization server, not by the browser. Only backend should have the clientSecret, it should not be exposed to dashboard frontend.
A lot of IDP providers does not contains CORS headers for the token endpoint, authorization server expects token requests to be made by a backend server, not a browser.
Also we can use hybrid oidc flow. In this case dashboard can obtain ID tokens straight from the authorization endpoint via frontend, and refresh tokens from the token endpoint via backend.
https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth
Screenshots
Additional context
Add any other context about the problem here.