John
Reputation: 2163
Is safe to have a client id without secret to use in web apps?
The only way that I found to not expose client secret on Front end was to create a client id without secret.
Is safe to have a client id without secret to use in web apps?
Upvotes: 0
Views: 393
Answers (1)
Gary Archer
Reputation: 29243
You use the Authorization Code Flow (PKCE) which generates a secret at runtime. There is no need to configure a secret in the Authorization Server - you just set a client id.
See these resources of mine for more info:
Upvotes: 1
Related Questions
- Proper place for oAuth2 clientId & clientSecret
- Oauth2.0, Is it safe to store client_secret on a local storage
- OAuth storing client id and secret in database
- Oauth 2.0: client id and client secret exposed, is it a security issue?
- Why Resource Server has to know client_id in Spring OAuth2?
- Spring Security OAuth2 clientId and clientSecret
- How authorize in Spring OAuth2 by client_id and secret only?
- Spring OAuth2 token without ClientId and ClientSecret for External Clients
- Security of OAuth2 Client Id and Client Secret
- How to Secure Oauth 2.0 Client ID and Client Secret