Over the next weeks I will do short blog posts about new features in IdentityServer4. The primary intention is to highlight a new feature and then defer to our docs for the details (which will also force me to write some proper docs).
Clients without secrets
Many people asked for this. The OAuth 2 token endpoint does not require authentication for so called “public clients”. We always ignored that and always mandated some sort of secret (and not treating it as really secret for public clients).
In IdentityServer4 there is a new RequireClientSecret flag on the Client class where you can enable/disable the client secret requirement.
You can read about client settings here, and about secrets in general here.
A big improvement. We use a combination of public and private clients.
And this was one of the weirder moments while using the API in IdentityServer3