`client_secret` should be optional with authorization_code + PKCE flow

[lanwen]

Since this flow is intended to be adopted by native and web apps, most of the services (such as auth0 for instance) allow to omit client_secret, as it's anyway insecure.

Would be nice to have it as a config option or a way to override

[laduke]

did you find a workaround?

[lanwen]

@laduke Yes, I had to fork it
main...lanwen:mockoidc:client-secret-ignore

[rendicott]

I was just tacking on client_secret into my token exchange request arbitrarily in my redirect handler to get around this.

func testDirectedHandler(w http.ResponseWriter, r *http.Request) {
	var httpCookies []*http.Cookie
	cookieNonce, err := r.Cookie(cookieNameNonce)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("error getting nonce cookie"))
		return
	}
	cookiePkce, err := r.Cookie(cookieNamePkce)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("error getting pkce cookie"))
		return
	}
	httpCookies = append(httpCookies, cookieNonce)
	httpCookies = append(httpCookies, cookiePkce)
	rauT := fmt.Sprintf("http://%s%s?%s&client_secret=%s",
		r.URL.Host,
		r.URL.Path,
		r.URL.RawQuery,
		testDirectedClientSecret,
	)
	rau, err := url.Parse(rauT)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("error parsing directed request URL"))
		return
	}

	cookieAccessToken, _, err := testDirectedAuthenticator.ValidateURLAndExchangeToken(
		rau, // give the URL path to be parsed
		httpCookies,
	)
...