[
https://issues.apache.org/jira/browse/GUACAMOLE-834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876414#comment-16876414
]
Michael Jumper commented on GUACAMOLE-834:
------------------------------------------
Guacamole uses the "implicit flow" for its OpenID Connect support. The client
secret is not used in this case, as the secret would end up exposed. From
[https://www.oauth.com/oauth2-servers/single-page-apps/]:
{quote}
Single-page apps (or browser-based apps) run entirely in the browser after
loading the Javascript and HTML source code from a web page. Since the entire
source is available to the browser, they cannot maintain the confidentiality of
a client secret, so the secret is not used for these apps. ...
{quote}
I have never used Okta, but Okta's documentation lists this as supported:
https://developer.okta.com/docs/guides/implement-implicit/overview/
I suggest following the above. You shouldn't need a client secret unless you're
using an IDP that strictly does not support the implicit flow. In that case,
the path forward would be adding support for the OpenID "authorization code
flow". I don't believe that is the case here.
> okta client secret to be configured in guacamole
> ------------------------------------------------
>
> Key: GUACAMOLE-834
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-834
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-openid
> Affects Versions: 1.0.0
> Environment: Ubuntu 16.06 (64 bit)
> Reporter: Ram Prashath
> Priority: Minor
> Fix For: 1.0.0
>
>
> there is no option for client secret to be configured in guacamole.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
