Remove support for Client Secret and HS256 (#304)

auth0 · Nov 29, 2023 · f487255 · f487255
1 parent 90013cd
commit f487255
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 14 deletions.
diff --git a/src/Auth0.OidcClient.Core/Auth0ClientBase.cs b/src/Auth0.OidcClient.Core/Auth0ClientBase.cs
@@ -170,11 +170,6 @@ private OidcClientOptions CreateOidcClientOptions(Auth0ClientOptions options)
                 }
             };
 
-#pragma warning disable CS0618 // ClientSecret will be removed in a future update.
-            if (!String.IsNullOrWhiteSpace(oidcClientOptions.ClientSecret))
-                oidcClientOptions.ClientSecret = options.ClientSecret;
-#pragma warning restore CS0618
-
             if (options.RefreshTokenMessageHandler != null)
                 oidcClientOptions.RefreshTokenInnerHttpHandler = options.RefreshTokenMessageHandler;
 

diff --git a/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs b/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs
@@ -21,13 +21,6 @@ public class Auth0ClientOptions
         /// </summary>
         public string ClientId { get; set; }
 
-        /// <summary>
-        /// Your Auth0 Client Secret.
-        /// </summary>
-        [Obsolete("Client Secrets should not be used in non-confidential clients such as native desktop and mobile apps. " +
-            "This property will be removed in a future release.")]
-        public string ClientSecret { get; set; }
-
         /// <summary>
         /// Your Auth0 tenant domain.
         /// </summary>

diff --git a/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs b/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs
@@ -41,8 +41,8 @@ internal async Task AssertTokenMeetsRequirements(IdTokenRequirements required, s
 
             var token = DecodeToken(rawIDToken);
 
-            // For now we want to support HS256 + ClientSecret as we just had a major release.
-            // TODO: In the next major (v4.0) we should remove this condition as well as Auth0ClientOptions.ClientSecret
+            // Signature Verification is optional because the token endpoint is over HTTPS.
+            // As we allow HS256 signed Id token, but we do not have a Client Secret we skip signature verification for HS256.
             if (token.SignatureAlgorithm != "HS256")
                 (signatureVerifier ?? await assymetricSignatureVerifier.ForJwks(required.Issuer)).VerifySignature(rawIDToken);