Hi there,
Thank you for reaching out to us!
Wanted to provide some information, in case others find this useful as well, but I believe that you are using an external API that is requesting the client_secret_post
method, and the SPA application should have it’s authentication method set to none
.
This might be problematic, as SPAs are not confidential clients and are not able to store client secrets, and storing them on the frontend presents a security risk, as they are exposed and easily accessible. One way that might work would be to set up your own API for authentication.
Some useful documentations that I can recommend reading through:
- "Invalid_client (Invalid Authentication Method for Accessing this Endpoint.)" on OIDC Connection
- Difference between SPA, Regular Web App, and even Native Apps? - #5 by thestephenstanton
- Storing client secret in SPA
- Authentication method misunderstnading
Hope this helped!
Gerald