REST API Authentication without client secret

vimalkumar010 · March 27, 2025, 1:41pm

Hi,
I am using the REST API for my applicaiton, and testing the application with oauthdebugger.com, and using the PKCE approach, And i am getting the authentication code added as code in the URL parameter. And to exchange this authorization code for access token, i am executing another http request as below as shown in the documentation (Obtaining Tokens :: Jmix Documentation):

curl -X POST http://localhost:8080/oauth2/token \
   --basic --user myapp:myappsecret \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=authorization_code" \
   -d "redirect_uri=https://oauthdebugger.com/debug" \
   -d "code=c9ehHTJyT84mX-v2v2Q8sbAxkAFYg-gjfZDJImu5ExZVGLUyWn_J2-afs_m7kiv7MwjD-XXVRQtwz_6H-JTb4NvuWiUw6-5vrF75LtyNYAovuvSJQ680nQwv3PbhB4Y-" \
   -d "code_verifier=zdhRZIStXgwonFfvNYo2oI6nYuYt022LdcZF8eh3LGE" \
   -d "code_challenge_method=S256"

But in the above curl request why we should have the client secret?

The whole point of Proof Key for Code Exchange (PKCE) is to eliminate the need for a client secret, making it more suitable for public clients like mobile or JavaScript applications.

So, how we can get the access token using the authorization code in the client application?

i.gavrilov · March 31, 2025, 1:24pm

Hi,

Looks like it requires to configure “public” client which doesn’t have secret at all.
Some details can be found in How-to: Authenticate using a Single Page Application with PKCE :: Spring Authorization Server

With the following properties the https://oauthdebugger.com did code exchange automatically and provide the valid access token

#public client
spring.security.oauth2.authorizationserver.client.public-client.registration.client-id=public-client
spring.security.oauth2.authorizationserver.client.public-client.registration.client-authentication-methods=none
spring.security.oauth2.authorizationserver.client.public-client.registration.authorization-grant-types=authorization_code
spring.security.oauth2.authorizationserver.client.public-client.registration.redirect-uris=https://oauthdebugger.com/debug
spring.security.oauth2.authorizationserver.client.public-client.scopes=openid,profile
spring.security.oauth2.authorizationserver.client.public-client.require-proof-key=true

Please check.

Regards,
Ivan

vimalkumar010 · April 1, 2025, 4:16am

Hi @i.gavrilov ,
Thanks for your reponse, I am having the same configuration in my application.properties file.

When i request with response type as code, then only i am successfully routed to login page.

If i select as token, then i am getting the “Whitelabel Error Page”, below is the screenshots, and i also attached the my jmix project for your perusal.

application.properties file:

main.datasource.url = jdbc:hsqldb:file:.jmix/hsqldb/oauthcodeflow
main.datasource.username = sa
main.datasource.password =

main.liquibase.change-log=com/company/oauth_code_flow/liquibase/changelog.xml

jmix.ui.login-view-id = LoginView
jmix.ui.main-view-id = MainView
jmix.ui.menu-config = com/company/oauth_code_flow/menu.xml
jmix.ui.composite-menu = true

ui.login.defaultUsername = admin
ui.login.defaultPassword = admin

jmix.core.available-locales = en

# Launch the default browser when starting the application in development mode
vaadin.launch-browser = false

# Use pnpm to speed up project initialization and save disk space
vaadin.pnpm.enable = true

logging.level.org.atmosphere = warn

# 'debug' level logs SQL generated by EclipseLink ORM
logging.level.eclipselink.logging.sql = info

# 'debug' level logs data store operations
logging.level.io.jmix.core.datastore = info

# 'debug' level logs access control constraints
logging.level.io.jmix.core.AccessLogger = debug

# 'debug' level logs all Jmix debug output
logging.level.io.jmix = info

spring.security.oauth2.authorizationserver.client.public-client.registration.client-id=public-client
spring.security.oauth2.authorizationserver.client.public-client.registration.client-authentication-methods=none
spring.security.oauth2.authorizationserver.client.public-client.registration.authorization-grant-types=authorization_code
spring.security.oauth2.authorizationserver.client.public-client.registration.redirect-uris=https://oauthdebugger.com/debug
spring.security.oauth2.authorizationserver.client.public-client.scopes=openid,profile
spring.security.oauth2.authorizationserver.client.public-client.require-proof-key=true

# Login page configuration
jmix.authserver.login-page-view-name=custom-as-login.html
#-----------------------------------------------------------------------------------------------------------------------

jmix.resource-server.authenticated-url-patterns=/rest/**
jmix.rest.inline-fetch-plan-enabled=false

Thanks.
oauth_code_flow.zip (191.2 KB)

reponse type = code

response type = token

response type = code, token

vimalkumar010 · April 9, 2025, 2:28pm

Hi @i.gavrilov

Any update on this. We are still facing the issue, please advise us, Are we are doing anything wrong in the configuration (application.properties)?

Thanks.

i.gavrilov · April 10, 2025, 8:58am

Hi,

Sorry for the late response.

Spring Authorization Server is based on OAuth 2.1 specification.

response_type=token relates to implicit flow which was deprecated and removed within OAuth 2.1 (draft-ietf-oauth-v2-1-12 - The OAuth 2.1 Authorization Framework) in favor of PKCE.

So it looks like you can’t use this approach.

Regards,
Ivan