OKTA OAuth 2.0 PKCE with Okta ASP.NET middleware nuget package - without using client secret

osoccol · November 18, 2022, 7:15am

Hello team!
I am implementing a .net core 6 app and I’m using OKTA OAuth 2.0 PKCE with Okta ASP.NET middleware nuget package.
Initially I have configured a OKTA application and used the client secret in my .net core 6 app configuration with no issues. However, now my team is asking me to achieve the same integration without using client secret as in their opinion it can be achieved without. Are you aware of a way I can achieve this? From looking at your package source I see client secret is mandatory.

Another question: Given my .net core 6 app is hosted in a server (not SPA), am I right in saying it’s completely secure to store the client secret in my settings as it’s never surfaced in any front-end?

andrea · December 21, 2022, 6:32pm

At this time, our .NET middleware only supports Client ID/Client Secret auth.

And you’re correct, as long as the Secret is stored server side, there’s no reason to move to creating a SPA without a Client Secret. That option primarily exists for front-end applications that will not be able to secure a secret when it makes its requests to Okta (to get the users tokens, etc)

system · February 12, 2024, 10:40pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.