Reputation: 17
identity server use client secret from javascript
I'm using identity server 3 and want to know if there is any risk using client secret from JavaScript to be able to use Password token grant.
Edit answer from Scott Brady
Then you'll also know that the implicit flow returns an access token and that the ROPC flow is insecure and deprecated. By stealing a client secret, other apps can impersonate your app, making phishing very simple. Your token endpoint becomes a public endpoint that anyone can use to validate your user's credentials https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications
Upvotes: 1
Views: 748
Answers (1)
Reputation: 5598
If it's JavaScript running in the browser, then your secret is not secret anymore.
JavaScript running in the browser is considered a public client. The implicit flow was explicitly designed for your scenario.
Upvotes: 1
Related Questions
- How to create a client_secret for IdentityServer4?
- IdentityServer client authentication with public/private keys instead of shared secrets
- Where To Store The Client Secret?
- IdentityServer4: Sharing authentication between ASP.NET Core MVC server application and JavaScript client
- Trying to add IdentityServer4 as identity authority for a Javascript application with custom user store
- How to use IdentityServer4 with and Javascript client with ClientCredentials ASP.NET Core
- Client Credentials from within UserService on IdentityServer3
- Requesting token directly from IdentityServer3 via Javascript using username/password
- IdentityServer3 - Client and Secret
- How do I pass my access token via javascript with IdentityServer3?