Auth Code + PKCE. Secret VS No Secret?

Looking for a simple answer to this. SPAs and Clients with a back-end clients can both use Auth Code + PKCE. However, clients with a back-end use secrets (SPAs can’t be trusted to keep one).

The official spec for Auth Code + PKCE says nothing about secrets and if/when they are required, unless I missed it completely. code_verifier is a secret, but its not THE SECRET. Its not a secret generated and saved with Auth0.

So, is requiring a secret completely up to the IdP (Auth0)? The way I understand this, is that Auth0 will set a flag RequireSecret = true and thats the only thing that makes the server side app more secure. The spec does not require it. Is this true? What am I missing?

Hi @VictorioBerra,

Welcome to the Community!

The client secret won’t be used in the Auth Code + PKCE flow. This flow is intended for use when a backend is not available (SPA or native apps). In traditional web apps that have a backend, the original Authorization Code flow is used. Let me know if that answers your question! Here is additional info about the Auth Code + PKCE flow and an overview of the implementation with Auth0:

Thank you for the quick reply. The spec states that server-side clients can use PKCE, and that they can do both that and PKCE at the same time. See IS4: IdentityServer4/Startup.cs at main · IdentityServer/IdentityServer4 · GitHub

Is this not possible with Auth0? Why is that? PKCE is simpler than Hybrid flow.

I meant to say Clients with servers can do PKCE + Secrets without issue.* I can not figure out how to edit my previous post.

Currently, the PKCE flow is only supported with public clients (native/SPA) within Auth0. If this is something that you’d like to see supported, I’d recommend providing your use case in a feature request in the Feedback category: Feedback - Auth0 Community

Thank you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.