yep you guessed it! misleading error message but that's exactly ... • Aaron Parecki

51°F

Hirsch Singhal https://twitter.com/hpsin_ • Feb 25
Helps prevent devs from putting their client secrets in a web page to perform the client creds flow, yep. When AAD enabled this, we definitely got a couple support calls on that. This was how we ratcheted forward PKCE use from suggested to required as well.

yep you guessed it! misleading error message but that's exactly what was going on.

Portland, Oregon, USA • 33°F

Thu, Feb 24, 2022 7:07pm -08:00

2 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  I totally agree, this error message makes no sense. I'm going to file a ticket tomorrow internally to fix it.
  
  Fri, Feb 25, 2022 3:18am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  Arguably, tho, PKCE and putting a client secret into a SPA are orthogonal. It's conflating two things that work differently. Poor devs can't understand those differences. The error should be "we see you sent a client secret and an Origin header. is your client a SPA?"
  
  Fri, Feb 25, 2022 3:10am +00:00 (via brid.gy)

Posted in /replies using quill.p3k.io