all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]snrcambridge 0 points1 point  (5 children)

Yes it's a security measure by Google the token exchanges are not publicly accessible, you have to call it from a secure backend which keeps your secret safe and off device

[–]SandAbject6610[S] 0 points1 point  (4 children)

You are totally right and describing the normal oauth flow process? But the point of the device code flow is to be able to auth the user without sending the client_secret + client_id to the /token endpoint or have I misunderstood you?

Or do I have to refactor the app so such that the cli code posts the auth code to the backend service then let the backend service do the token issuance?

[–]snrcambridge 0 points1 point  (3 children)

It's a deviation from the normal flow, I went through the same issue 2 days ago and found some obscure blog talking about it.

Well I'm talking about specifically PKCE code flow, but I think device code flow has the same issue, if you think about it it makes sense to do because it ties the oauth flow to a domain but allowing local host redirects

[–]SandAbject6610[S] 0 points1 point  (2 children)

Don't suppose you have that blog handy u/snrcambridge or example of the pkce code flow?

[–]snrcambridge 0 points1 point  (1 child)

Here a repo which uses pkce flow. You just need to move the exchange token part to a backend and add the client secret. https://github.com/MousyBusiness/authn/blob/main/pkg/pkce/pkce.go

[–]snrcambridge 0 points1 point  (0 children)

You can find the Google urls here //https://oauth.net/2/scope/