Hi there! First of all, thanks for the great work on TinyAuth — it's been really solid as a lightweight identity layer
for my self-hosted setup.
I'd love to use TinyAuth as the OIDC provider for all my applications, but I've run into a limitation: some of them
require public client support, which TinyAuth doesn't currently offer.
The problem
The /.well-known/openid-configuration endpoint currently advertises only:
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"]
This means all clients must authenticate with a client_secret at the token endpoint. However, browser-based SPAs (like
https://opencloud.eu web UI) cannot securely store a client secret and rely on the none authentication method
combined with PKCE (S256), as recommended by https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
and the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1.
What would be needed
- Add none to token_endpoint_auth_methods_supported
- Allow OIDC clients to be configured without a client_secret (or with an explicitly empty one)
- Require PKCE for public clients (TinyAuth already supports PKCE, so this should be straightforward)
Use case
I'm running TinyAuth as my central identity provider and would like to connect OpenCloud (an open-source file
sync/share platform). Its web frontend is a SPA that only supports public OIDC clients with PKCE. Currently, I have to
run a separate IdP just for this application.
Thanks for considering this! Happy to help test if a branch becomes available.
Hi there! First of all, thanks for the great work on TinyAuth — it's been really solid as a lightweight identity layer
for my self-hosted setup.
I'd love to use TinyAuth as the OIDC provider for all my applications, but I've run into a limitation: some of them
require public client support, which TinyAuth doesn't currently offer.
The problem
The /.well-known/openid-configuration endpoint currently advertises only:
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"]
This means all clients must authenticate with a client_secret at the token endpoint. However, browser-based SPAs (like
https://opencloud.eu web UI) cannot securely store a client secret and rely on the none authentication method
combined with PKCE (S256), as recommended by https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
and the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1.
What would be needed
Use case
I'm running TinyAuth as my central identity provider and would like to connect OpenCloud (an open-source file
sync/share platform). Its web frontend is a SPA that only supports public OIDC clients with PKCE. Currently, I have to
run a separate IdP just for this application.
Thanks for considering this! Happy to help test if a branch becomes available.