Using authorization code flow for web client with client secret


I am not sure if you trying to run auth-js in server mode or client mode?

  • In client mode (SPA apps) the browser would initialize auth-js, do the authorize flow, and store token in the local browser storage.
  • In server mode auth-js would be initialized in a Node app, the Node app would handle the redirect URI and store tokens.

It is much more common to run auth-js client side, but when using with a public app there is no client_secret. A client_secret would only be used for a web app.

I suggest testing a couple of samples to see which fits your use case best.

1 Like