Skip to content

Commit

Permalink
public client documentation
Browse files Browse the repository at this point in the history
The PRs dexidp/dex#1784 and dexidp/dex#1822 are super useful, but the documentation can be confusing.

First, it does not make sense to specify a secret in a public client because it will require you to pass the secret to the public client, which will make the secret "not secret".

Also, as of dexidp/dex#1822, it is possible to use `redirectURIs` in a public client.

Signed-off-by: leonnicolas <[email protected]>
  • Loading branch information
leonnicolas authored Feb 14, 2023
1 parent 9685437 commit 0785e25
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions content/docs/custom-scopes-claims-clients.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,12 @@ staticClients:
- id: cli-app
public: true
name: 'CLI app'
secret: cli-app-secret
redirectURIs:
- ...
```
Instead of traditional redirect URIs, public clients are limited to either redirects that begin with "http://localhost" or a special "out-of-browser" URL "urn:ietf:wg:oauth:2.0:oob". The latter triggers dex to display the OAuth2 code in the browser, prompting the end user to manually copy it to their app. It's the client's responsibility to either create a screen or a prompt to receive the code, then perform a code exchange for a token response.
If no `redirectURIs` are specified, public clients only support redirects that begin with "http://localhost" or a special "out-of-browser" URL "urn:ietf:wg:oauth:2.0:oob".
The latter triggers dex to display the OAuth2 code in the browser, prompting the end user to manually copy it to their app. It's the client's responsibility to either create a screen or a prompt to receive the code, then perform a code exchange for a token response.

When using the "out-of-browser" flow, an ID Token nonce is strongly recommended.

Expand Down

0 comments on commit 0785e25

Please sign in to comment.