KeycloakOwinAuthentication icon indicating copy to clipboard operation
KeycloakOwinAuthentication copied to clipboard
verified publisher icon dylanplecki

Question: Should client secret be part of authorization endpoint redirect URL?

Open highbyte opened this issue 8 years ago • 1 comments

I have a Keycloak client configured like this - Standard (code) flow - Client secret (access type: confidential)

In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.

https://mydomain/auth/realms/testrealm/protocol/openid-connect/auth?redirect_uri=http:%2F%2Flocalhost:1234%2Fowin%2Fsecurity%2Fkeycloak%2FTestKeycloakCookieAuth%2Fcallback&response_type=code&scope=openid&state=oidc_state_8f5c9780e2b0462eb9883ff102f9370a&client_id=testclient&client_secret=1a111c11-aaa1-11aa-1a11-1a111111a1a1

Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?

https://github.com/dylanplecki/KeycloakOwinAuthentication/blob/d80b836de0f1048633ec1feee313b84aa2882926/src/KeycloakIdentityModel/Utilities/OidcDataManager.cs#L292-L293

highbyte avatar Nov 07 '17 09:11 highbyte

Issue was fixed in the mattmorg55/Owin.Security.Keycloak fork that works with Keycloak v3.2.

mattmorg55/Owin.Security.Keycloak#4

highbyte avatar Nov 09 '17 18:11 highbyte