Configure OIDC connection for Single-Page-Application

I added an OIDC connection for an SPA (react). The configuration was given to me by the institution we’re setting the connection up for. When using the OIDC connection to login, I receive this error:

Failed Login:

invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method) The OAuth 2.0 Client supports client authentication method “none”, but method “client_secret_post” was requested. You must configure the OAuth 2.0 client’s “token_endpoint_auth_method” value to accept “client_secret_post”.)

I have updated our oauth client to use “client_secret_post” as the token endpoint auth method but I still receive this error. Any help would be greatly appreciated!

Hi there,

Thank you for reaching out to us!

Wanted to provide some information, in case others find this useful as well, but I believe that you are using an external API that is requesting the client_secret_post method, and the SPA application should have it’s authentication method set to none.

This might be problematic, as SPAs are not confidential clients and are not able to store client secrets, and storing them on the frontend presents a security risk, as they are exposed and easily accessible. One way that might work would be to set up your own API for authentication.

Some useful documentations that I can recommend reading through:

• "Invalid_client (Invalid Authentication Method for Accessing this Endpoint.)" on OIDC Connection
• Difference between SPA, Regular Web App, and even Native Apps? - #5 by thestephenstanton
• Storing client secret in SPA
• Authentication method misunderstnading

Hope this helped!
Gerald