0

I've implemented a Blazor WASM application wiht Google authentication as described here.

If I select "Log in", I get redirected to Google and I can insert my username and password.
At that point Google redirect to the RedirectUri (/authentication/login-callback).
This cause the Blazor SPA to reload, which is expected.

At that point I can see (from Edge Dev Tools) the AuthenticationService.js library to issue a token request to Google, but the request fails.

enter image description here

My understanding so far:

  • I'm using an Authentication Code Flow with PKCE: by design, this does not store the client_secret on the client, nor sends it to the IP.
  • if I change the ResponseCode to "id_token" as suggested here, authentication complete. But, this way, I'm using Implicit Flow, which is no longer recommended for security reasons.

Thank you.

Improve this question

1 Answer 1

Reset to default
1

Unfortunately, google oauth2 "web application" client doesn't really support code flow with PKCE even for now https://stackoverflow.com/a/63275535/20240963.

But the "UWP" client support PKCE https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier. So there is a workaround that you create a "UWP" client, then the authentication will success.

Credentials -> Create credentials -> OAuth client ID -> UWP enter image description here You could use this "UWP" client for Blazor WASM. And the store ID can be whatever.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.