Hi George,

For single-page-apps the client registration endpoint may return the client secret in the form of cookies with the HttpOnly and secure flags set. Javascript will not be able to access the client secret and the front-end developer does not have to fiddle with the secret. If the user deletes the cookies, the client re-registers with the AS.

-Igor

On Wed, Oct 6, 2021 at 7:30 PM George Fletcher <george.fletcher@yahooinc.com> wrote:

For single-page-apps there is also DPoP [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04] which provides some similar capabilities using ephemeral keys. The issue I see with DCR and SPAs is maintaining the keys in the browser in a persistent way.

On Wed, Oct 6, 2021 at 7:11 AM Igor Zboran <izboran@gmail.com> wrote:
Hi everyone,

Please take a look at https://github.com/uma-email/poc#protected-dynamic-client-registration.

This may solve the single page applications and native applications problem with client secrets. I mean, the client is public with respect to the IdP, and at the same time – after dynamic registration – confidential with respect to the AS.

Regards

-Igor
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__kantarainitiative.org_mailman_listinfo_wg-2Duma&d=DwICAg&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=cl87BDJWy_Dken1-bgbUZNI3uuMUfMrWjS7cLmJhvw0&m=_EtItqJQ36olWtgJjHi0gFmdLoJJkAFELf3CKJ6dPoI&s=usuWOpY5zGwrCIUtJ1A8HoW4KcxwO41l_pZt-m1Iwh8&e=