Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Client secret is required if not using PKCE

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2023-05-11

Context and Problem Statement#

In certain cases, the specs would require us to differentiate between client types (if a client secret has been issued or not). Because we are not supporting all flows, this could be simplified. This mainly comes down to requiring a client secret to be passed or not when creating an auth code or tokens.

Considered Options#

  • Client secret is required if not using PKCE
  • Never require client secret
  • Add client type that has to be specified during client creation

Decision Outcome#

Chosen option: Client secret is required if not using PKCE

  • Simple
  • Works with all the flows we support

Pros and Cons of the Options#

Client secret is required if not using PKCE#

In case of refresh: we require the client secret if the tokens weren't created using PKCE In all other cases: we require the client secret if the current flow isn't using PKCE

  • Simple
  • Works with all flows we support
  • Enforces our flow recommendations
  • Could make some people try to add their client secret to their FE code
  • Not an exact match for the specs
  • Never require client secret#

  • Simple
  • Not secure
  • Doesn't match the specs
  • Add client type that has to be specified during client creation#

  • Works with all flows
  • Exact match for the specs
  • Complicates the implementation/docs
  • Requires introducing a new concept to users