Skip to content

OIDC Token Requests

Your application can interact with OIDC tokens in different ways.

Confidential Clients

Confidential clients perform login flows using their own client ID and client secret. All CERN applications are confidential clients by default.

Public Clients and Implicit Flow

Public clients do not use a client secret and should use the "Implicit Flow". This is useful for client side applications, like ReactJS sites, where there is not the possibility to store a secret safely. To configure an application as a public client, please select the option "My client cannot store a secret safely" when registering for OIDC in the application portal.

Token Exchange

Your application may need to talk to another secured application, on behalf of the user. To do this, you can exchange the user's token received by your application, for a token for the target application. The target application defines which applications are authorised to exchange tokens.

To enable Token Exchange, the source and target application must be configured. You can find an option to do this after registering for OIDC in the application portal.