Remove support for Client Secret and HS256

auth0 · Nov 27, 2023 · dcb3513 · dcb3513
1 parent 3df218e
commit dcb3513
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 17 deletions.
diff --git a/src/Auth0.OidcClient.Core/Auth0ClientBase.cs b/src/Auth0.OidcClient.Core/Auth0ClientBase.cs
@@ -170,11 +170,6 @@ private OidcClientOptions CreateOidcClientOptions(Auth0ClientOptions options)
                 }
             };
 
-#pragma warning disable CS0618 // ClientSecret will be removed in a future update.
-            if (!String.IsNullOrWhiteSpace(oidcClientOptions.ClientSecret))
-                oidcClientOptions.ClientSecret = options.ClientSecret;
-#pragma warning restore CS0618
-
             if (options.RefreshTokenMessageHandler != null)
                 oidcClientOptions.RefreshTokenInnerHttpHandler = options.RefreshTokenMessageHandler;
 

diff --git a/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs b/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs
@@ -21,13 +21,6 @@ public class Auth0ClientOptions
         /// </summary>
         public string ClientId { get; set; }
 
-        /// <summary>
-        /// Your Auth0 Client Secret.
-        /// </summary>
-        [Obsolete("Client Secrets should not be used in non-confidential clients such as native desktop and mobile apps. " +
-            "This property will be removed in a future release.")]
-        public string ClientSecret { get; set; }
-
         /// <summary>
         /// Your Auth0 tenant domain.
         /// </summary>

diff --git a/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs b/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs
@@ -40,11 +40,9 @@ internal async Task AssertTokenMeetsRequirements(IdTokenRequirements required, s
                 throw new IdTokenValidationException("ID token is required but missing.");
 
             var token = DecodeToken(rawIDToken);
-
-            // For now we want to support HS256 + ClientSecret as we just had a major release.
-            // TODO: In the next major (v4.0) we should remove this condition as well as Auth0ClientOptions.ClientSecret
-            if (token.SignatureAlgorithm != "HS256")
-                (signatureVerifier ?? await assymetricSignatureVerifier.ForJwks(required.Issuer)).VerifySignature(rawIDToken);
+
+            if (signatureVerifier != null)
+                (await assymetricSignatureVerifier.ForJwks(required.Issuer)).VerifySignature(rawIDToken);
 
             AssertTokenClaimsMeetRequirements(required, token, pointInTime ?? DateTime.Now);
         }