Layer7 API Management

Hi There,
When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially I use response_type=code to get a code, during this first call it returns a code. Subsequently, in this call I use this returned code to get an access_token.During this 2nd call will send the secret_key along with the code obtained from the first call from the front channel, since angular doesn't have any backchannel to perform this. The question I intend to ask was that, as may you know this both calls will perform from the frontend(Angular). how would I mitigate this risk of exposing the secret_key which is visible from the browser agent, is there any mechanism to protect/hide secret_key visible to the browser agent? Pls advice.

Thanks

Hello

this is what the OIDC Authorization Code + PKCE flow was design to address with public clients to avoid the need to have the shared secret exposed.

The OTK supports this flow :
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit/configure-pkce-support.html

Original Message:
Sent: 10-01-2020 11:05 AM
From: Sharath Yeramalla
Subject: oidc flow secret key

Hi There,
When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially I use response_type=code to get a code, during this first call it returns a code. Subsequently, in this call I use this returned code to get an access_token.During this 2nd call will send the secret_key along with the code obtained from the first call from the front channel, since angular doesn't have any backchannel to perform this. The question I intend to ask was that, as may you know this both calls will perform from the frontend(Angular). how would I mitigate this risk of exposing the secret_key which is visible from the browser agent, is there any mechanism to protect/hide secret_key visible to the browser agent? Pls advice.

Thanks

Is this PKCE feature present in OTK 4.0 CR01.242?
Original Message:
Sent: 10-01-2020 03:18 PM
From: BARRY STERN
Subject: oidc flow secret key

Hello

this is what the OIDC Authorization Code + PKCE flow was design to address with public clients to avoid the need to have the shared secret exposed.

The OTK supports this flow :
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit/configure-pkce-support.html

Original Message:
Sent: 10-01-2020 11:05 AM
From: Sharath Yeramalla
Subject: oidc flow secret key

Hi There,
When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially I use response_type=code to get a code, during this first call it returns a code. Subsequently, in this call I use this returned code to get an access_token.During this 2nd call will send the secret_key along with the code obtained from the first call from the front channel, since angular doesn't have any backchannel to perform this. The question I intend to ask was that, as may you know this both calls will perform from the frontend(Angular). how would I mitigate this risk of exposing the secret_key which is visible from the browser agent, is there any mechanism to protect/hide secret_key visible to the browser agent? Pls advice.

Thanks