0

My application has a login page that contains only a button that redirects to the WSO2 Identity Server Authorization Server.

This redirect is done by the library angular-oauth2-oidc.

Then I have a backend that calls WSO2 SCIM2.O api's.

In my OAuthConfig i specify only the clientId (because i know that the client secret should never be in the front-end) and I've noticied that the library automatically uses the Authorization code with PKCE because in the url it add the parameter code_challenge, and I'm fine with it since i read that this type of flow is good when you don't want to use the client secret.

When I insert my credentials, I'm redirect to the url that I specified in the redirect_uri of the OAuthConfig, then i click on a button to add a new item and this event calls my backend api (which calls the wso2 scim api). And it doesn't work.

But if i specify in the OAuthConfig the clientID AND the clientSecret, then it works.

And i don't understand why since I'm using the flow with PKCE. I'm guessing that the problem is with the access token that gets generated? Is there any step I'm missing?

ffff
  • 35
  • 9
  • If the clientSecret value is not given in OAuthConfig, what is the response you get for the SCIM API request? – Anuradha Karunarathna Dec 08 '22 at 00:57
  • What is the IS version you are using? If it is 6.0, you need to mark that app as a `Management App` in IS https://is.docs.wso2.com/en/latest/apis/overview/#oauth-based-authentication? – Piraveena Paralogarajah Dec 08 '22 at 04:45
  • It's really hard to tell without a way to minimally reproduce your situation. I know it's been some time since you asked the question, but I think we need some code that illustrates the issue. (As a general hint, you could [clone my sample repo](https://github.com/jeroenheijmans/sample-angular-oauth2-oidc-with-auth-guards) and reconfigure it to use your own IDP to see if that works.) – Jeroen Mar 02 '23 at 08:56

0 Answers0