4

I am looking to extend our ID server instance to support mobile apps and wish to use Authorization Code Flow with PKCE. As this is a public client I do not wish to store the secret on the app but it appears ID3 requires a secret. Can anyone confirm this as if it is the case I may need to look at upgrading ID3 to ID4 which is going to be an issue with my timelines?

Kind Regards, Lastbuilders

Lastbuilders
  • 79
  • 4

1 Answers1

4

Specifying a secret for a public client is not an issue with code + PKCE flow. In that case it's just a rudiment, hardly adding more security. That's why they introduced an option to switch it totally off.

d_f
  • 4,599
  • 2
  • 23
  • 34
  • Did they add the option in ID3 or ID4? – Richard Barnett Jan 22 '21 at 05:54
  • They added the option at the very beginning of Identityserver4 (for the ASP.Net Core 1x). The latest (and the last) one is Identityserver4 v.4 (for ASP.Net Core 3x). And Identityserver3 (without the option) is for .Net 4.x and OWIN. (Just to avoid any misunderstanding) – d_f Jan 22 '21 at 10:15
  • 1
    Thanks @d-f, we've been using ID3 for a while but have only just started looking at PKCE, so I wondered if I'd missed this option. – Richard Barnett Jan 24 '21 at 07:01