Yeah that's right. I agree it's super confusing and has caused ... • Aaron Parecki

45°F

Brock Allen https://twitter.com/BrockLAllen • Feb 25
It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.

Yeah that's right. I agree it's super confusing and has caused some tricky issues before. It may be different in the new platform but I'd have to double check

Portland, Oregon • 34°F

Thu, Feb 24, 2022 6:53pm -08:00

4 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  Yep, I confirmed my suspicion. Misleading error message. Will post details on the github thread.
  
  Fri, Feb 25, 2022 3:03am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  Ah, good question -- I didn't notice that. I bet their client config is misconfigured then.
  
  Fri, Feb 25, 2022 3:00am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  why does that example have the browser sending a client secret in the request? That seems odd. Happy to continue this over on the github thread.
  
  Fri, Feb 25, 2022 2:58am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  People are asking, when using standards compliant OIDC client libraries: github.com/authts/oidc-cl…
  
  Fri, Feb 25, 2022 2:55am +00:00 (via brid.gy)

Posted in /replies using indigenous.abode.pub/ios