We are using oidc-client. The Client setting grant type is authorization code. However, I found out that my authorization code uses PKCE. Because I can use it without client secret and and has code_challenge on the uri. I'm looking onto it on how it was set but I couldn't find it.
I just want to know if the AuthCode with PKCE is the default one now. Correct me if I'm wrong, when you don't set in your oidc-client that you will use the PKCE then you should use the normal auth code that requires the client secret?
This is my client:
getClientSettings(): UserManagerSettings {
const config = this.config._envConfig;
return {
authority: `${config.BaseAuthUrl}`,
client_id: "auth-code-client",
redirect_uri: `${config.BaseRedirectUrl}/signin-callback`,
post_logout_redirect_uri: `${config.BaseRedirectUrl}`,
response_type: "code",
scope:
"scope_1 scope_2 scope_3",
filterProtocolClaims: true,
loadUserInfo: false,
silent_redirect_uri: `${config.BaseRedirectUrl}/renewtoken`,
automaticSilentRenew: true,
revokeAccessTokenOnSignout: true,
monitorSession: true,
};
}
If it indeed is the default behaviour it's very good. There is no downside of using PKCE and you should always use it if possible. PKCE adds another layer of security to the flow, it does not stop you from using client's secret. Also, if the Authorization Server does not support PKCE it should just ignore the parameters, so it doesn't matter for your client if the Authorization Server uses PKCE or not.