Question: Should client secret be part of authorization endpoint redirect URL?

[highbyte]

I have a Keycloak client configured like this
- Standard (code) flow
- Client secret (access type: confidential)

In an ASP.NET MVC app, when the Keycloak library is authorizing the user by doing a redirect to the Keycloak authorization endpoint (=requesting an access code), it includes the client secret in the URL visible is the user's browser.

https://mydomain/auth/realms/testrealm/protocol/openid-connect/auth?redirect_uri=http:%2F%2Flocalhost:1234%2Fowin%2Fsecurity%2Fkeycloak%2FTestKeycloakCookieAuth%2Fcallback&response_type=code&scope=openid&state=oidc_state_8f5c9780e2b0462eb9883ff102f9370a&client_id=testclient&client_secret=1a111c11-aaa1-11aa-1a11-1a111111a1a1

Is that correct? Shouldn't the client secret only be used in the "back channel" when the library request an Id/Access Token based on the access code (via HTTP post)?

KeycloakOwinAuthentication/src/KeycloakIdentityModel/Utilities/OidcDataManager.cs

Lines 292 to 293 in d80b836

	if (!string.IsNullOrWhiteSpace(_options.ClientSecret))
	parameters.Add(OpenIdConnectParameterNames.ClientSecret, _options.ClientSecret);

[highbyte]

Issue was fixed in the mattmorg55/Owin.Security.Keycloak fork that works with Keycloak v3.2.

mattmorg55#4