Cloudron OIDC with SPA Frontend - PKCE Configuration Missing?

jorrg

Hi everyone,

I'm trying to set up authentication for a simple web application and I'm running into some confusion around OAuth/OIDC best practices with Cloudron.

My Setup:

• Frontend: Static website served by Surfer (Cloudron app)
• Backend: n8n workflows for API endpoints
• Authentication: Want to use Cloudron's built-in OIDC

My Intended Flow:

• User clicks login on frontend (JavaScript SPA)
• Redirect to Cloudron OIDC authorization endpoint
• User authenticates with Cloudron
• Frontend receives authorization code/token
• Frontend passes token to n8n backend for verification
• n8n validates token with Cloudron and proceeds with authorized operations

The Problem:
I understand that exposing a client_secret in JavaScript is a security anti-pattern. For single-page applications, the recommended approach is to use a "public client" with PKCE (Proof Key for Code Exchange) instead of client secrets.

However, when I look at Cloudron's OIDC app configuration, I don't see any option to:

• Configure a client as "public" (no secret required)
• Enable PKCE support
• Set the client type appropriately for SPAs

My Questions:

• Does Cloudron's OIDC implementation support public clients with PKCE?
• If not, what's the recommended pattern for SPA authentication with Cloudron?
• Should I be using a different flow entirely (like having n8n handle the OAuth dance server-side)?
• Is installing a separate Keycloak instance the only way to get proper SPA OIDC support?

I'm hoping there's a standard way to handle this that I'm missing. The alternative of putting authentication logic entirely in n8n (server-side) seems to complicate the frontend significantly.

Any guidance on the proper architecture pattern here would be greatly appreciated!

Additional Context:

• All components are running on the same Cloudron instance
• I'd prefer to stick with Cloudron's built-in capabilities if possible

Thanks in advance!

james

Hello @jorrg
I've moved your topic to the @discuss section since this is no direct issue of the Cloudron platform itself.

This is a very interesting setup you are running there.
Your questions regarding PKCE are valid, and we will have to look into it.

nebulon

We use https://github.com/panva/node-oidc-provider internally and that is supposed to support PKCE. Not sure yet how to use it to test what this needs.

Until that is working, the options are a keycloak instance or a small backend which gives the SPA some kind of session while handling the oidc login bits.