OIDC Token Requests
Your application can interact with OIDC tokens in different ways.
Confidential clients perform login flows using their own client ID and client secret. All CERN applications are confidential clients by default.
Public Clients and Implicit Flow
Public clients do not use a client secret and should use the "Implicit Flow". This is useful for client side applications, like ReactJS sites, where there is not the possibility to store a secret safely. To configure an application as a public client, please select the option "My client cannot store a secret safely" when registering for OIDC in the application portal.
Your application may need to talk to another secured application, on behalf of the user. To do this, you can exchange the user's token received by your application, for a token for the target application. The target application defines which applications are authorised to exchange tokens.
To enable Token Exchange, the source and target application must be configured. You can find an option to do this after registering for OIDC in the application portal.