Hello,
We have an SPA with auth0 and we are in the process of switching to OIDC. When I make an SPA an auth0 OIDC compliant there is no longer a credentials tab (as expected) but there is still a client secret. What exactly is this secret for? Before it seems it was required to validate the jwt tokens of the users, but with oidc it seems it is no longer needed for this. So whats its use?
Hi @crutten
Welcome to the Auth0 Community!
You are correct in this observation, as client secrets should not be used with public clients that cannot securely store secrets such as SPAs. I does not serve a major role as compared to other application types that can store secrets securely, and it would mainly be for consistency, potential backend use cases and future development.
One reasoning for Auth0 generating a Client Secret for a SPA can be to provide flexibility for any future developments, in case a Client Secret becomes more widely used in a new flow type. If that were the case, it could be harder to backtrack and generate a secret for all existing SPAs instead of providing it from the start.
Even though there is no immediate and practical use for the Client Secret in a SPA, it might have very niche applicability and also create consistency among the Auth0 applications, as all of them generate with both a Client ID and a Secret.
Hope that helped!
Gerald