New in IdentityServer4: Clients without Secrets

Over the next weeks I will do short blog posts about new features in IdentityServer4. The primary intention is to highlight a new feature and then defer to our docs for the details (which will also force me to write some proper docs).

Clients without secrets
Many people asked for this. The OAuth 2 token endpoint does not require authentication for so called “public clients”. We always ignored that and always mandated some sort of secret (and not treating it as really secret for public clients).

In IdentityServer4 there is a new RequireClientSecret flag on the Client class where you can enable/disable the client secret requirement.

You can read about client settings here, and about secrets in general here.

This entry was posted in IdentityServer, OAuth, OpenID Connect, WebAPI. Bookmark the permalink.

1 Response to New in IdentityServer4: Clients without Secrets

  1. A big improvement. We use a combination of public and private clients.
    And this was one of the weirder moments while using the API in IdentityServer3

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s