@flink-app/oidc-plugin 2.0.0-alpha.68 → 2.0.0-alpha.69

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @flink-app/oidc-plugin
 
+## 2.0.0-alpha.69
+
+### Minor Changes
+
+-   feat(oidc-plugin): support public clients with PKCE-only authentication (no client secret)
+
+    `clientSecret` is now optional in `OidcProviderConfig`. When omitted, the plugin configures `openid-client` with `token_endpoint_auth_method: "none"` for public client flows. Added `tokenEndpointAuthMethod` option for explicit control. Encryption key derivation skips providers without a secret, and `storeTokens: true` requires an explicit `encryptionKey` when no provider has a client secret.
+
+### Patch Changes
+
+-   @flink-app/flink@2.0.0-alpha.69
+-   @flink-app/jwt-auth-plugin@2.0.0-alpha.69
+
 ## 2.0.0-alpha.68
 
 ### Patch Changes

package/dist/OidcPlugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcPlugin.d.ts","sourceRoot":"","sources":["../src/OidcPlugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,WAAW,EAAO,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAWxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CA2MlE"}
+{"version":3,"file":"OidcPlugin.d.ts","sourceRoot":"","sources":["../src/OidcPlugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,WAAW,EAAO,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAWxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CAiNlE"}

package/dist/OidcPlugin.js

@@ -124,9 +124,6 @@ function oidcPlugin(options) {
         if (!providerConfig.clientId) {
             throw new Error(`OIDC Plugin: ${providerName} clientId is required`);
         }
-        if (!providerConfig.clientSecret) {
-            throw new Error(`OIDC Plugin: ${providerName} clientSecret is required`);
-        }
         if (!providerConfig.callbackUrl) {
             throw new Error(`OIDC Plugin: ${providerName} callbackUrl is required`);
         }
@@ -144,19 +141,28 @@ function oidcPlugin(options) {
     // Determine encryption key
     let encryptionKey = options.encryptionKey;
     if (!encryptionKey) {
-        // Derive from first configured provider's client secret
-        const firstProvider = configuredProviders[0];
-        const firstProviderConfig = options.providers[firstProvider];
-        if (firstProviderConfig) {
-            encryptionKey = firstProviderConfig.clientSecret;
+        // Derive from the first configured provider that has a client secret
+        const providerWithSecret = configuredProviders.find((name) => options.providers[name]?.clientSecret);
+        if (providerWithSecret) {
+            encryptionKey = options.providers[providerWithSecret].clientSecret;
             flink_1.log.warn("OIDC Plugin: No encryption key provided, deriving from client secret. " + "For better security, provide a dedicated encryptionKey in options.");
         }
     }
-    if (!encryptionKey || encryptionKey.length < 32) {
-        throw new Error("OIDC Plugin: Encryption key must be at least 32 characters");
+    // Encryption key is required when storing tokens
+    if (options.storeTokens) {
+        if (!encryptionKey || encryptionKey.length < 32) {
+            throw new Error("OIDC Plugin: Encryption key must be at least 32 characters. " +
+                "Provide an explicit encryptionKey when using storeTokens with public clients (no clientSecret).");
+        }
+        (0, encryption_utils_1.validateEncryptionSecret)(encryptionKey);
+    }
+    else if (encryptionKey) {
+        // Validate if provided, even when not storing tokens (used for getConnection/getConnections)
+        if (encryptionKey.length < 32) {
+            throw new Error("OIDC Plugin: Encryption key must be at least 32 characters");
+        }
+        (0, encryption_utils_1.validateEncryptionSecret)(encryptionKey);
     }
-    // Validate encryption key
-    (0, encryption_utils_1.validateEncryptionSecret)(encryptionKey);
     let flinkApp;
     let sessionRepo;
     let connectionRepo;

package/dist/OidcPluginOptions.d.ts

@@ -246,7 +246,9 @@ export interface OidcPluginOptions {
     sessionTTL?: number;
     /**
      * Encryption key for encrypting stored OIDC tokens
-     * If not provided, will be derived from first configured provider's client secret
+     * If not provided, will be derived from the first configured provider's client secret
+     *
+     * Required when using storeTokens with public clients (no clientSecret).
      *
      * Recommended: Use a dedicated encryption key from environment variables
      * Must be at least 32 characters

package/dist/OidcPluginOptions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcPluginOptions.d.ts","sourceRoot":"","sources":["../src/OidcPluginOptions.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,uBAAuB,CAAC;AAChD,OAAO,YAAY,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,OAAO,CAAC,EAAE,GAAG,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IACxC;;;OAGG;IACH,IAAI,EAAE,GAAG,CAAC;IAEV;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACtC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB;IAC9B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAE9C;;;;;;;;;;;OAWG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgDG;IACH,aAAa,EAAE,CACX,MAAM,EAAE;QACJ;;WAEG;QACH,OAAO,EAAE,WAAW,CAAC;QAErB;;;WAGG;QACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAE5B;;WAEG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;WAGG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;KACzB,EACD,GAAG,EAAE,GAAG,KACP,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,SAAS,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAErG;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAE9E;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC5B"}
+{"version":3,"file":"OidcPluginOptions.d.ts","sourceRoot":"","sources":["../src/OidcPluginOptions.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,uBAAuB,CAAC;AAChD,OAAO,YAAY,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,OAAO,CAAC,EAAE,GAAG,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IACxC;;;OAGG;IACH,IAAI,EAAE,GAAG,CAAC;IAEV;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACtC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB;IAC9B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAE9C;;;;;;;;;;;OAWG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgDG;IACH,aAAa,EAAE,CACX,MAAM,EAAE;QACJ;;WAEG;QACH,OAAO,EAAE,WAAW,CAAC;QAErB;;;WAGG;QACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAE5B;;WAEG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;WAGG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;KACzB,EACD,GAAG,EAAE,GAAG,KACP,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,SAAS,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAErG;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAE9E;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC5B"}

package/dist/OidcProviderConfig.d.ts

@@ -18,8 +18,19 @@ export interface OidcProviderConfig {
     /**
      * OAuth 2.0 client secret
      * Provided by the IdP - keep this secure!
+     *
+     * Optional for public clients using PKCE-only authentication.
+     * When omitted, token_endpoint_auth_method defaults to "none".
      */
-    clientSecret: string;
+    clientSecret?: string;
+    /**
+     * Token endpoint authentication method
+     *
+     * - "client_secret_basic": HTTP Basic auth with client_id and client_secret (default when clientSecret is provided)
+     * - "client_secret_post": client_id and client_secret in POST body
+     * - "none": No client authentication (default when clientSecret is omitted, for public/PKCE-only clients)
+     */
+    tokenEndpointAuthMethod?: "client_secret_basic" | "client_secret_post" | "none";
     /**
      * Callback URL for OAuth redirect
      * Must match the redirect URI registered with the IdP

package/dist/OidcProviderConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcProviderConfig.d.ts","sourceRoot":"","sources":["../src/OidcProviderConfig.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IAEH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC"}
+{"version":3,"file":"OidcProviderConfig.d.ts","sourceRoot":"","sources":["../src/OidcProviderConfig.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,GAAG,MAAM,CAAC;IAEhF;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IAEH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC"}

package/dist/providers/OidcProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwC,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAInD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA+CjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqC/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAajE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IA2BjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}
+{"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAInD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA0DjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqC/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAajE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IA2BjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}

package/dist/providers/OidcProvider.js

@@ -54,12 +54,22 @@ class OidcProvider {
                 });
             }
             // Create OIDC client
-            this.client = new this.issuer.Client({
+            const clientMetadata = {
                 client_id: this.config.clientId,
-                client_secret: this.config.clientSecret,
                 redirect_uris: [this.config.callbackUrl],
                 response_types: ["code"],
-            });
+            };
+            if (this.config.clientSecret) {
+                clientMetadata.client_secret = this.config.clientSecret;
+                clientMetadata.token_endpoint_auth_method =
+                    this.config.tokenEndpointAuthMethod || "client_secret_basic";
+            }
+            else {
+                // Public client (PKCE-only) — openid-client requires this to skip client authentication
+                clientMetadata.token_endpoint_auth_method =
+                    this.config.tokenEndpointAuthMethod || "none";
+            }
+            this.client = new this.issuer.Client(clientMetadata);
             this.initialized = true;
         }
         catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flink-app/oidc-plugin",
-  "version": "2.0.0-alpha.68",
+  "version": "2.0.0-alpha.69",
   "description": "Flink plugin for OIDC authentication with generic IdP support",
   "author": "joel@frost.se",
   "license": "MIT",
@@ -11,10 +11,10 @@
   },
   "dependencies": {
     "openid-client": "^5.7.0",
-    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.68"
+    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.69"
   },
   "peerDependencies": {
-    "@flink-app/flink": ">=2.0.0-alpha.68",
+    "@flink-app/flink": ">=2.0.0-alpha.69",
     "mongodb": "^6.15.0"
   },
   "peerDependenciesMeta": {
@@ -27,9 +27,9 @@
     "@types/node": "22.13.10",
     "ts-node": "^10.9.2",
     "tsc-watch": "^4.2.9",
-    "@flink-app/flink": "2.0.0-alpha.68",
-    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.68",
-    "@flink-app/test-utils": "2.0.0-alpha.68"
+    "@flink-app/flink": "2.0.0-alpha.69",
+    "@flink-app/test-utils": "2.0.0-alpha.69",
+    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.69"
   },
   "scripts": {
     "test": "jasmine-ts --config=./spec/support/jasmine.json",

package/spec/helpers/test-helpers.ts

@@ -39,6 +39,20 @@ export function createTestProviderConfig(overrides?: Partial<OidcProviderConfig>
     };
 }
 
+/**
+ * Create a test OIDC provider configuration for a public client (no clientSecret)
+ */
+export function createPublicClientProviderConfig(overrides?: Partial<OidcProviderConfig>): OidcProviderConfig {
+    return {
+        issuer: "https://test-idp.example.com",
+        clientId: "test-public-client-id",
+        callbackUrl: "http://localhost:3000/oidc/test/callback",
+        discoveryUrl: "https://test-idp.example.com/.well-known/openid-configuration",
+        scope: ["openid", "email", "profile"],
+        ...overrides,
+    };
+}
+
 /**
  * Create a mock OIDC token set
  */

package/spec/plugin/OidcPlugin.spec.ts

@@ -6,7 +6,7 @@
  */
 
 import { oidcPlugin } from "../../src/OidcPlugin";
-import { createTestProviderConfig } from "../helpers/test-helpers";
+import { createTestProviderConfig, createPublicClientProviderConfig } from "../helpers/test-helpers";
 
 describe("OidcPlugin", () => {
 
@@ -72,6 +72,80 @@ describe("OidcPlugin", () => {
         });
     });
 
+    describe("public client (PKCE-only) support", () => {
+        it("should accept provider without clientSecret when encryptionKey is provided", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {
+                        test: createPublicClientProviderConfig(),
+                    },
+                    encryptionKey: "valid-encryption-key-at-least-32-chars-long",
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
+        });
+
+        it("should accept provider without clientSecret when storeTokens is false", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {
+                        test: createPublicClientProviderConfig(),
+                    },
+                    storeTokens: false,
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
+        });
+
+        it("should accept provider without clientSecret when storeTokens is not set (defaults to false)", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {
+                        test: createPublicClientProviderConfig(),
+                    },
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
+        });
+
+        it("should throw when storeTokens is true, no encryptionKey, and no provider has clientSecret", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {
+                        test: createPublicClientProviderConfig(),
+                    },
+                    storeTokens: true,
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).toThrowError(/Encryption key must be at least 32 characters/);
+        });
+
+        it("should derive encryption key from provider with clientSecret when mixed with public clients", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {
+                        publicProvider: createPublicClientProviderConfig(),
+                        confidentialProvider: createTestProviderConfig(),
+                    },
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
+        });
+
+        it("should accept storeTokens with explicit encryptionKey for public clients", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {
+                        test: createPublicClientProviderConfig(),
+                    },
+                    storeTokens: true,
+                    encryptionKey: "valid-encryption-key-at-least-32-chars-long",
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
+        });
+    });
+
     describe("plugin structure", () => {
         it("should return plugin with correct ID", () => {
             const plugin = oidcPlugin({

package/src/OidcPlugin.ts

@@ -102,9 +102,6 @@ export function oidcPlugin(options: OidcPluginOptions): FlinkPlugin {
         if (!providerConfig.clientId) {
             throw new Error(`OIDC Plugin: ${providerName} clientId is required`);
         }
-        if (!providerConfig.clientSecret) {
-            throw new Error(`OIDC Plugin: ${providerName} clientSecret is required`);
-        }
         if (!providerConfig.callbackUrl) {
             throw new Error(`OIDC Plugin: ${providerName} callbackUrl is required`);
         }
@@ -127,24 +124,33 @@ export function oidcPlugin(options: OidcPluginOptions): FlinkPlugin {
     // Determine encryption key
     let encryptionKey = options.encryptionKey;
     if (!encryptionKey) {
-        // Derive from first configured provider's client secret
-        const firstProvider = configuredProviders[0];
-        const firstProviderConfig = options.providers[firstProvider];
-        if (firstProviderConfig) {
-            encryptionKey = firstProviderConfig.clientSecret;
+        // Derive from the first configured provider that has a client secret
+        const providerWithSecret = configuredProviders.find((name) => options.providers[name]?.clientSecret);
+        if (providerWithSecret) {
+            encryptionKey = options.providers[providerWithSecret].clientSecret;
             log.warn(
                 "OIDC Plugin: No encryption key provided, deriving from client secret. " + "For better security, provide a dedicated encryptionKey in options."
             );
         }
     }
 
-    if (!encryptionKey || encryptionKey.length < 32) {
-        throw new Error("OIDC Plugin: Encryption key must be at least 32 characters");
+    // Encryption key is required when storing tokens
+    if (options.storeTokens) {
+        if (!encryptionKey || encryptionKey.length < 32) {
+            throw new Error(
+                "OIDC Plugin: Encryption key must be at least 32 characters. " +
+                    "Provide an explicit encryptionKey when using storeTokens with public clients (no clientSecret)."
+            );
+        }
+        validateEncryptionSecret(encryptionKey);
+    } else if (encryptionKey) {
+        // Validate if provided, even when not storing tokens (used for getConnection/getConnections)
+        if (encryptionKey.length < 32) {
+            throw new Error("OIDC Plugin: Encryption key must be at least 32 characters");
+        }
+        validateEncryptionSecret(encryptionKey);
     }
 
-    // Validate encryption key
-    validateEncryptionSecret(encryptionKey);
-
     let flinkApp: FlinkApp<OidcInternalContext>;
     let sessionRepo: OidcSessionRepo;
     let connectionRepo: OidcConnectionRepo;

package/src/OidcPluginOptions.ts

@@ -265,7 +265,9 @@ export interface OidcPluginOptions {
 
     /**
      * Encryption key for encrypting stored OIDC tokens
-     * If not provided, will be derived from first configured provider's client secret
+     * If not provided, will be derived from the first configured provider's client secret
+     *
+     * Required when using storeTokens with public clients (no clientSecret).
      *
      * Recommended: Use a dedicated encryption key from environment variables
      * Must be at least 32 characters

package/src/OidcProviderConfig.ts

@@ -20,8 +20,20 @@ export interface OidcProviderConfig {
     /**
      * OAuth 2.0 client secret
      * Provided by the IdP - keep this secure!
+     *
+     * Optional for public clients using PKCE-only authentication.
+     * When omitted, token_endpoint_auth_method defaults to "none".
      */
-    clientSecret: string;
+    clientSecret?: string;
+
+    /**
+     * Token endpoint authentication method
+     *
+     * - "client_secret_basic": HTTP Basic auth with client_id and client_secret (default when clientSecret is provided)
+     * - "client_secret_post": client_id and client_secret in POST body
+     * - "none": No client authentication (default when clientSecret is omitted, for public/PKCE-only clients)
+     */
+    tokenEndpointAuthMethod?: "client_secret_basic" | "client_secret_post" | "none";
 
     /**
      * Callback URL for OAuth redirect

package/src/providers/OidcProvider.ts

@@ -1,4 +1,4 @@
-import { Issuer, Client, generators, TokenSet, UserinfoResponse } from "openid-client";
+import { Issuer, Client, ClientMetadata, generators, TokenSet, UserinfoResponse } from "openid-client";
 import { OidcProviderConfig } from "../OidcProviderConfig";
 import OidcProfile from "../schemas/OidcProfile";
 import OidcTokenSet from "../schemas/OidcTokenSet";
@@ -65,12 +65,23 @@ export class OidcProvider {
             }
 
             // Create OIDC client
-            this.client = new this.issuer.Client({
+            const clientMetadata: ClientMetadata = {
                 client_id: this.config.clientId,
-                client_secret: this.config.clientSecret,
                 redirect_uris: [this.config.callbackUrl],
                 response_types: ["code"],
-            });
+            };
+
+            if (this.config.clientSecret) {
+                clientMetadata.client_secret = this.config.clientSecret;
+                clientMetadata.token_endpoint_auth_method =
+                    this.config.tokenEndpointAuthMethod || "client_secret_basic";
+            } else {
+                // Public client (PKCE-only) — openid-client requires this to skip client authentication
+                clientMetadata.token_endpoint_auth_method =
+                    this.config.tokenEndpointAuthMethod || "none";
+            }
+
+            this.client = new this.issuer.Client(clientMetadata);
 
             this.initialized = true;
         } catch (error: any) {