Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Angular2 with Auth0, do I need to hide my ClientID and domain?

Tags:

angular

auth0

I've been using Auth0 to build the front-end user authentication part of my site, but am unsure if I should be following the documentation exactly.

If I want to build a commercial product, should I be hiding the client ID and domain? Is this something that would lead to a security breach?

Currently anyone can view my Angular2 source code and look at the client ID and domain.

like image 601
Syntactic Fructose Avatar asked Nov 01 '16 05:11

Syntactic Fructose


People also ask

Is Auth0 Clientid secret?

Another difference between the two sets of credentials is who issues them. Auth0 issues the Client ID/Client Secret to your application. Google issues the Client ID/Client Secret to your Auth0 tenant. Here is some more information about OAuth 2.0: https://auth0.com/docs/protocols/protocol-oauth2.

Should client id be hidden?

Both the Client ID and Client Secret are needed to confirm your application's identity and it is critical that you do not expose your Client Secret.

Should OAuth client id be secret?

Using most OAuth 2.0 flows, a client application can identify itself to the authorization server by means of a "client id" and "client secret." The OAuth 2 specification says that the client secret should indeed be kept secret.

How do you pass client ID and secret in header?

The Client ID and Client Secret need to be encoded to Base64, using the UTF-8 character set, in the form of client_id:client_secret. A resource you can use for this purpose is https://www.base64encode.org/. This string is then passed as the Authorization header.


1 Answers

The client identifier and your domain (which I'm assuming you're referring to the assigned Auth0 domain similar to [account].auth0.com) are both considered information that does not need to be kept secret.

The domain represents the entity handling the authentication; the equivalent of accounts.google.com for your application.

The client identifier is defined within the OAuth 2.0 specification which clearly indicates that is not confidential information:

The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.

In browser-based or other application where the actual code is located in a client environment it's unavoidable to have information stored there for authentication purposes. You just need to be sure that the information stored is okay to be disclosed like it is with the two examples you gave.

On the other hand these types of application could not securely use a client secret as it is defined by OAuth 2.0, because like you said, anyone could see it by inspecting the code.

like image 90
João Angelo Avatar answered Sep 27 '22 21:09

João Angelo