My application at Okta is the Single page App, there’s no client secret, just client ID. But my web application that intend to use the Okta OpenID Connect as the IDP requires the “Client Secret” as well as the Postman (request for the ID_Token).
I wonder where to dig out the Client Secret at Okta single page app? Is there a better way to solve this issue?
Thank you for the help,
Susan
Hi @szheng! For Single Page Apps (browser-based apps) the client secret does not apply as it cannot be kept safe as mentioned here - Single-Page Apps - OAuth 2.0 Simplified.
Single-page apps (or browser-based apps) run entirely in the browser after loading the Javascript and HTML source code from a web page. Since the entire source is available to the browser, they cannot maintain the confidentiality of a client secret, so the secret is not used for these apps. The flow is exactly the same as the authorization code flow, but at the last step, the authorization code is exchanged for an access token without using the client secret.