How to configure PhenixID Authentication Services for public clients (SPAs, embedded browsers)

For applications without it's own backend, such as SPA applications and embedded browsers, there's no storage for secrets (such as client_secret).

PhenixID recommends such public clients (ie clients without a secret) to use the authorization code flow with the PKCE extension.

Configure PhenixID Authentication Services

  • Create a relying party with a client_id, client_secret (set to anything as this won't be used) and allowed redirect URIs.
  • Setup PhenixID Authentication Services by following this guide.

 

Modify web frontend for CORS and preflight checks

Background:

  • Public clients must be able to call OP endpoints directly from the browser.
  • Many public clients perform preflight checks before the actuall endpoint request is fired.

Modify your web frontend (proxy/LB) sitting in front of PAS by following this guide.