Hi everyone,
I'm trying to set up authentication for a simple web application and I'm running into some confusion around OAuth/OIDC best practices with Cloudron.
My Setup:
Frontend: Static website served by Surfer (Cloudron app)
Backend: n8n workflows for API endpoints
Authentication: Want to use Cloudron's built-in OIDC
My Intended Flow:
User clicks login on frontend (JavaScript SPA)
Redirect to Cloudron OIDC authorization endpoint
User authenticates with Cloudron
Frontend receives authorization code/token
Frontend passes token to n8n backend for verification
n8n validates token with Cloudron and proceeds with authorized operations
The Problem:
I understand that exposing a client_secret in JavaScript is a security anti-pattern. For single-page applications, the recommended approach is to use a "public client" with PKCE (Proof Key for Code Exchange) instead of client secrets.
However, when I look at Cloudron's OIDC app configuration, I don't see any option to:
Configure a client as "public" (no secret required)
Enable PKCE support
Set the client type appropriately for SPAs
My Questions:
Does Cloudron's OIDC implementation support public clients with PKCE?
If not, what's the recommended pattern for SPA authentication with Cloudron?
Should I be using a different flow entirely (like having n8n handle the OAuth dance server-side)?
Is installing a separate Keycloak instance the only way to get proper SPA OIDC support?
I'm hoping there's a standard way to handle this that I'm missing. The alternative of putting authentication logic entirely in n8n (server-side) seems to complicate the frontend significantly.
Any guidance on the proper architecture pattern here would be greatly appreciated!
Additional Context:
All components are running on the same Cloudron instance
I'd prefer to stick with Cloudron's built-in capabilities if possible
Thanks in advance!
