Client Secret for API to Go with SPA


I have a Vue.js demo and a resource server demo working. I need to put the two together, but they are using different Application Types. The Vue.js app is configured as an SPA type and the resource is a Web type. Is there a way to bridge the two or to find a Client Secret for the SPA type?

I’m using the JavaEE WildFly application which comes with a special OAuth introspection mechanism. I have to provide a Client ID + Secret which works perfectly for the Web type (WildFly does the Base-64 encoding and sets the headers). This may be a WildFly limitation as I see that “None” is a valid authentication for my introspection endpoint, but I don’t have control over that.


What is your resource server doing that it has its own application? Why is it not simply receiving the access tokens granted to users of your SPA and validating them to grant them access to protected resources?

They’re two separate apps now as I evaluate. One is Web type, the other is SPA type. I only need one app.

I have a special OAuth 2.0 connector for my app server that requires Client ID and Client Secret to form an Authorization header. This works with the Web application type. There isn’t an option for me to leave the fields blank in this particular implementation.

However, there’s no Client Secret (Web type) on the SPA side. So, I configured a second app which is working (SPA type).

I’m checking with the maker of the connector (RedHat) to see if there is an option in the works to allow for an introspection authentication type of “None”.

Here’s a link of the connector mentioned above