Overview
When a SPA application is created or updated via the Management API and performs the /oauth/token call after a successful login, it sees an unauthorized error.
Applies To
- SPA
- Management API
Cause
The Management API allows for setting application settings that are not possible when using the Dashboard alone.
For example, setting an application to be an SPA type in the dashboard will also automatically change the token endpoint authentication method to an appropriate value for an SPA type app (“none”) and hide the setting so it cannot be changed.
When using the Management API, on the other hand, the app_type attribute performs no additional automatic updates, and only what is explicitly passed in the POST or PATCH calls will be updated on the respective application.
The Dashboard will show the current setting for the endpoint auth method (e.g., client secret POST) in the credentials tab if it is set to something other than “none” for an application set to type “SPA”. However, if it is already set to none, the credentials tab will be missing from the application’s settings page.
Solution
Check the token endpoint authentication method in use by the application. For a SPA type application this should be set to “none”, as a SPA cannot securely store a client secret, and thus will be calling /oauth/token without a client secret parameter.
Setting an application configured for application type “SPA” to use the token endpoint authentication method “none” will also hide the credentials tab for future visits to the application’s settings in the dashboard.
Similarly, in the tenant Dashboard, toggling the application type to another type, saving, and then setting back to SPA will also update it to use SPA-relevant settings.