Skip to main content

Mobile & Browser (Single-Page-App) with OAuth2

We've an excellent blog post on this topic. Read it now!

Creating a public OAuth 2.0 Client

You can create a public OAuth 2.0 Client (for example for the authorize code + PKCE or implicit flow) with the CLI

hydra clients create --endpoint http://ory-hydra-admin-api --token-endpoint-auth-method none

or by setting in the HTTP API JSON body when POSTing to /clients:

{
"client_id": "...",
"token_endpoint_auth_method": "none"
}

Be aware that when making requests to /oauth2/token or /oauth2/revoke with a public OAuth 2.0 Client, you can't authenticate with the HTTP Basic Authorization but must include the client_id in the POST body:

POST /oauth2/token
...

client_id=...&
...
note

The public clients using a non-https redirect scheme can't skip consent as per OpenID Specification & Certification.