Authorization code flow without client-secret?

Hi there,

We’re trying to write automated smoke tests against our platform, and as part of that effort we want to automate logging into auth0.

We’re using a standard ‘username-password’ connection in auth0 and using Authorization Code flow to log in.

We’ve been able to get it to work, but only if I pass the clientsecret as part exchanging the authorization code for an access token. I don’t understand why, because our mobile application is able to do this without the client secret.

I’ve created a git repo with my code here (GitHub - Erwinvandervalk/DotnetAuth0Login: Logging in to auth0 using authorization_code flow) . Any tips on what i’m doing wrong with the client secret would be greatly appreciated.


1 Like

that’s because for Native app is using Authorization Code Flow with PKCE flow whereas regular webapp is using Authorization Code flow. This differentiation is because regular webapps are server-side apps so they don’t expose the source code whereas Native apps are not developers control so they need additional security with PKCE flow.

What is the actual problem with sending client secret with the request?

Hi Ashish,

Thank you for your reply. You are correct, i’m trying to execute Authorization Code flow with PKCE. Maybe it helps if I explain our use case a bit better.

I want to write an automated testsuite that can be executed automatically (by a build server for example) or manually from a developer’s machine against a running environment. Especially for developers, I don’t want client secrets lying around that have access to our testing / production accounts.

I have configured my application in auth0 to be native (or spa) but that doesn’t make any difference.

In a different bit of code, I used a system browser component to get an access token. This seems to work fine without a client secret.

So, in my test I’m trying to simulate exactly what the browser / mobile app is doing. If a user with a browser is able to get an access token, why isn’t my test able to do the same thing? As far as I can tell (using fiddler to sniff traffic), I’m executing the same requests that the browser is doing.


Ok, one of my colleagues figured it out. Apparently setting the ClientCredentialStyle = ClientCredentialStyle.PostBody solves the problem.

For those interested: client secret removed by mskobzev · Pull Request #2 · Erwinvandervalk/DotnetAuth0Login · GitHub


Thanks a lot @erwin.vandervalk for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.