Products
Applications
Support
Company
How To Buy
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Register
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Home
Communities
All Communities
Enterprise Software
Mainframe Software
Symantec Enterprise
Blogs
All Blogs
Enterprise Software
Mainframe Software
Symantec Enterprise
Events
All Events
Enterprise Software
Mainframe Software
Symantec Enterprise
VMware
Water Cooler
Groups
Enterprise Software
Mainframe Software
Symantec Enterprise
Members
Layer7 API Management
Private Community
View Only
Community Home
Threads
Library
Events
Members
Back to discussions
Expand all
|
Collapse all
sort by most recent
sort by thread
oidc flow secret key
Sharath Yeramalla
Oct 01, 2020 12:53 PM
Hi There, When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially ...
Barry Stern
Oct 01, 2020 03:18 PM
Hello this is what the OIDC Authorization Code + PKCE flow was design to address with public clients ...
Sharath Yeramalla
Oct 01, 2020 04:07 PM
Is this PKCE feature present in OTK 4.0 CR01.242?------------------------------------------- Original ...
1.
oidc flow secret key
0
Recommend
Sharath Yeramalla
Posted Oct 01, 2020 12:53 PM
Edited by Sharath Yeramalla Oct 01, 2020 02:09 PM
Reply
Reply Privately
Options Dropdown
Hi There,
When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially I use response_type=code to get a code, during this first call it returns a code. Subsequently, in this call I use this returned code to get an access_token.During this 2nd call will send the secret_key along with the code obtained from the first call from the front channel, since angular doesn't have any backchannel to perform this. The question I intend to ask was that, as may you know this both calls will perform from the frontend(Angular). how would I mitigate this risk of exposing the secret_key which is visible from the browser agent, is there any mechanism to protect/hide secret_key visible to the browser agent? Pls advice.
Thanks
2.
RE: oidc flow secret key
0
Recommend
Broadcom Employee
Barry Stern
Posted Oct 01, 2020 03:18 PM
Reply
Reply Privately
Options Dropdown
Hello
this is what the OIDC Authorization Code + PKCE flow was design to address with public clients to avoid the need to have the shared secret exposed.
The OTK supports this flow :
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit/configure-pkce-support.html
Original Message
Original Message:
Sent: 10-01-2020 11:05 AM
From: Sharath Yeramalla
Subject: oidc flow secret key
Hi There,
When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially I use response_type=code to get a code, during this first call it returns a code. Subsequently, in this call I use this returned code to get an access_token.During this 2nd call will send the secret_key along with the code obtained from the first call from the front channel, since angular doesn't have any backchannel to perform this. The question I intend to ask was that, as may you know this both calls will perform from the frontend(Angular). how would I mitigate this risk of exposing the secret_key which is visible from the browser agent, is there any mechanism to protect/hide secret_key visible to the browser agent? Pls advice.
Thanks
3.
RE: oidc flow secret key
0
Recommend
Sharath Yeramalla
Posted Oct 01, 2020 04:07 PM
Reply
Reply Privately
Options Dropdown
Is this PKCE feature present in OTK 4.0 CR01.242?
Original Message
Original Message:
Sent: 10-01-2020 03:18 PM
From: BARRY STERN
Subject: oidc flow secret key
Hello
this is what the OIDC Authorization Code + PKCE flow was design to address with public clients to avoid the need to have the shared secret exposed.
The OTK supports this flow :
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit/configure-pkce-support.html
Original Message:
Sent: 10-01-2020 11:05 AM
From: Sharath Yeramalla
Subject: oidc flow secret key
Hi There,
When I use OIDC(openID) flow from angular/react for authentication on top of oAuth, initially I use response_type=code to get a code, during this first call it returns a code. Subsequently, in this call I use this returned code to get an access_token.During this 2nd call will send the secret_key along with the code obtained from the first call from the front channel, since angular doesn't have any backchannel to perform this. The question I intend to ask was that, as may you know this both calls will perform from the frontend(Angular). how would I mitigate this risk of exposing the secret_key which is visible from the browser agent, is there any mechanism to protect/hide secret_key visible to the browser agent? Pls advice.
Thanks
×
New Best Answer
This thread already has a best answer. Would you like to mark this message as the new best answer?
Copyright 2019. All rights reserved.
Powered by Higher Logic