Hi there, I think you've got a valid point here. I.e. it would be probably correct if /oidc/authorize wouldn't let you issue an authorization code *if there seems to be no way how to use that code* - because when there is no *client_secret* nor *code_challenge* to check (nor other authentication methods setup), then how can the client authenticate when trying to get an access token from the code? On Tuesday, 28 March 2023 at 12:12:37 UTC+2 Jorge Domingo wrote:
> Hi, I am new to using CAS. > > I want to implement a public client with the authorization code pkce flow > so that the client does not have to use the client secret. > I have read in the documentation of my version that CAS accepts the > authorization code pkce flow in /oidc/authorize in the same way as it does > with the authorization code flow. So I have removed the client secret from > the client JSON so that I don't have to use it for the flow. > > My problem is that when I make requests with the Postman, it allows me to > use both the authorization code pkce and the authorization code flow for > that client without client secret. How can I make it so that it only > supports the authorization code pkce flow and that if it does not receive a > code_challenge from the client the call to /oidc/authorize fails? > In other words, make the code_challenge as a mandatory parameter for this > application when using the /oidc/authroize endpoint. > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3de03dd5-7f4e-4384-9244-f24ed5222748n%40apereo.org.
