Authorization Code Flow with Client Secret

[MartinLoeper]

First of all, thanks @ctron for this wonderful tool. I want to quickly outline my usecase for oidc-cli and discuss one limitation I encoutered.

Usecase
I use oidc-cli to obtain an access token from Keycloak. Then, I swap the token for an AccessToken using MinIOs STS.

I noticed that MinIO requires its OIDC clients to be confidential, i.e. use a client secret. It supports the Authorization Code Flow and the Client Credentials Flow (aka Service Account Roles in Keycloak).

The latter one works with oidc-cli, but does not make much sense, since I want the end user to authenticate itself and not the OIDC client.

Issue
Is there a particular reason why the client types in oidc-cli are named "confidential" and "public" instead of using the OIDC flow names?
What I need in the MinIO usecase described above, is a confidential client (i.e. a client sending its client secret) via Authorization Code Flow.
I think this is not the typical usecase, but should be supported by the OIDC spec.

What do you think?

[ctron]

Is there a particular reason why the client types in oidc-cli are named "confidential" and "public" instead of using the OIDC flow names?

Yes and no. It saw the use of this in certain locations, and it felt simpler to understand from an end user perspective. Not ideal, and it can be improved for sure!

What do you think?

I think it's a perfectly valid use case. Having a PR for this would be wonderful. And we can definitely think about the name confidential (or others). Naming is hard, but it feels like the cherry on top if everything else.

[MartinLoeper]

Thanks for the feedback @ctron! Makes sense to me. I will give it a shot once I get some time to study Rust a bit. I do not know when I'll have time though.

[ctron]

Same here :)