Mobile & Browser (Single-Page-App) with OAuth2
We've an excellent blog post on this topic. Read it now!
Creating a public OAuth 2.0 Client
You can create a public OAuth 2.0 Client (for example for the authorize code + PKCE or implicit flow) with the CLI
hydra clients create --endpoint http://ory-hydra-admin-api --token-endpoint-auth-method none
or by setting in the HTTP API JSON body when POSTing to /clients
:
{
"client_id": "...",
"token_endpoint_auth_method": "none"
}
Be aware that when making requests to /oauth2/token
or /oauth2/revoke
with a public OAuth 2.0 Client, you can't authenticate
with the HTTP Basic Authorization but must include the client_id
in the POST body:
POST /oauth2/token
...
client_id=...&
...
note
The public clients using a non-https redirect scheme can't skip consent as per OpenID Specification & Certification.