OKTA OAuth 2.0 PKCE with Okta ASP.NET middleware nuget package - without using client secret

osoccol · November 18, 2022, 7:15am

Hello team!
I am implementing a .net core 6 app and I’m using OKTA OAuth 2.0 PKCE with Okta ASP.NET middleware nuget package.
Initially I have configured a OKTA application and used the client secret in my .net core 6 app configuration with no issues. However, now my team is asking me to achieve the same integration without using client secret as in their opinion it can be achieved without. Are you aware of a way I can achieve this? From looking at your package source I see client secret is mandatory.

Another question: Given my .net core 6 app is hosted in a server (not SPA), am I right in saying it’s completely secure to store the client secret in my settings as it’s never surfaced in any front-end?

andrea · December 21, 2022, 6:32pm

At this time, our .NET middleware only supports Client ID/Client Secret auth.

And you’re correct, as long as the Secret is stored server side, there’s no reason to move to creating a SPA without a Client Secret. That option primarily exists for front-end applications that will not be able to secure a secret when it makes its requests to Okta (to get the users tokens, etc)

system · February 12, 2024, 10:40pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Add an external Identity Provider for an app for which client secret is not known Questions	7	3896	February 12, 2024
Can I create a custom OIDC IDP for a Single Page OIDC App WITHOUT client secret? OAuth/OIDC	2	169	July 3, 2024
Need to secure API endpoint with client id and secret OAuth/OIDC dotnet	4	106	August 19, 2024
Where to get Client Secret? Questions	3	4382	July 29, 2021
Authorization server configuration OAuth/OIDC api	6	2378	January 19, 2024

OKTA OAuth 2.0 PKCE with Okta ASP.NET middleware nuget package - without using client secret

Related topics