Reputation: 339
OAuth2 - how to authorize without client secret?
I want to create a frontend application. The app should connect to the Strava API. In the authentication documentation, they say the client secret is required to get the access_token. I don't want to store my client secret in my JavaScript code.
I found a blog post where they explain a way where you don't need to pass the client secret, but it's not working, I get an Authorization Error.
Is it possible to get the access_token without the client secret? If not, what is the best solution?
Upvotes: 1
Views: 1414
Answers (1)
Reputation: 1470
You are looking for Implicit Grant flow (Two-Legged) - https://www.rfc-editor.org/rfc/rfc6749#section-1.3.2
Strava seems to implement only Authorization Code Grant flow (Three-Legged) which is safer and force you to have a server that holds the secret to complete the handshake - https://www.rfc-editor.org/rfc/rfc6749#section-4.1
Upvotes: 2
Related Questions
- client secret in OAuth 2.0
- OAuth2 client credentials
- Storing client secret on client side
- OAuth2 without Client Secret – Possible Phishing?
- OAuth2 Sending Client secret in authorization step
- OAuth: How to hide API Secret Key from javascript
- OAuth 2.0 how to encrypt client id and secret
- How to keep the oAuth 2.0 Client Secret a secret?
- Oauth in javascript
- Authenticating a javascript application with OAuth