Hi George,
For single-page-apps the client registration endpoint may return the client
secret in the form of cookies with the HttpOnly and secure flags set.
Javascript will not be able to access the client secret and the front-end
developer does not have to fiddle with the secret. If the user deletes the
cookies, the client re-registers with the AS.
-Igor
On Wed, Oct 6, 2021 at 7:30 PM George Fletcher
For single-page-apps there is also DPoP [ https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04] which provides some similar capabilities using ephemeral keys. The issue I see with DCR and SPAs is maintaining the keys in the browser in a persistent way.
On Wed, Oct 6, 2021 at 7:11 AM Igor Zboran
wrote: Hi everyone,
Please take a look at https://github.com/uma-email/poc#protected-dynamic-client-registration https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_uma-2Demail_poc-23protected-2Ddynamic-2Dclient-2Dregistration&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=cl87BDJWy_Dken1-bgbUZNI3uuMUfMrWjS7cLmJhvw0&m=_EtItqJQ36olWtgJjHi0gFmdLoJJkAFELf3CKJ6dPoI&s=D1HT3Vt0c1R4UYVmQlmsU4mMaKolDmg8yPySZ6CumLU&e= .
This may solve the single page applications and native applications problem with client secrets. I mean, the client is public with respect to the IdP, and at the same time – after dynamic registration – confidential with respect to the AS.
Regards
-Igor _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org