Mobile & Browser (Single-Page-App) with OAuth2

We have an excellent blog post on this topic. Read it now!

Creating a public OAuth 2.0 Client

You can create a public OAuth 2.0 Client (e.g. for the authorize code + PKCE or implicit flow) with the CLI

hydra clients create --endpoint http://ory-hydra-admin-api --token-endpoint-auth-method none

or by setting in the HTTP API JSON body when POSTing to /clients:

{
  "client_id": "...",
  "token_endpoint_auth_method": "none"
}

Be aware that when making requests to /oauth2/token or /oauth2/revoke with a public OAuth 2.0 Client, you cannot authenticate with the HTTP Basic Authorization but must include the client_id in the POST body:

POST /oauth2/token
...

client_id=...&
  ...

note

The public clients using a non-https redirect scheme cannot skip consent as per OpenID Sepcification & Certification.

Creating a public OAuth 2.0 Client​

note

Creating a public OAuth 2.0 Client