I've been using Auth0 to build the front-end user authentication part of my site, but am unsure if I should be following the documentation exactly.
If I want to build a commercial product, should I be hiding the client ID and domain? Is this something that would lead to a security breach?
Currently anyone can view my Angular2 source code and look at the client ID and domain.
Another difference between the two sets of credentials is who issues them. Auth0 issues the Client ID/Client Secret to your application. Google issues the Client ID/Client Secret to your Auth0 tenant. Here is some more information about OAuth 2.0: https://auth0.com/docs/protocols/protocol-oauth2.
Both the Client ID and Client Secret are needed to confirm your application's identity and it is critical that you do not expose your Client Secret.
Using most OAuth 2.0 flows, a client application can identify itself to the authorization server by means of a "client id" and "client secret." The OAuth 2 specification says that the client secret should indeed be kept secret.
The Client ID and Client Secret need to be encoded to Base64, using the UTF-8 character set, in the form of client_id:client_secret. A resource you can use for this purpose is https://www.base64encode.org/. This string is then passed as the Authorization header.
The client identifier and your domain (which I'm assuming you're referring to the assigned Auth0 domain similar to [account].auth0.com
) are both considered information that does not need to be kept secret.
The domain represents the entity handling the authentication; the equivalent of accounts.google.com
for your application.
The client identifier is defined within the OAuth 2.0 specification which clearly indicates that is not confidential information:
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
In browser-based or other application where the actual code is located in a client environment it's unavoidable to have information stored there for authentication purposes. You just need to be sure that the information stored is okay to be disclosed like it is with the two examples you gave.
On the other hand these types of application could not securely use a client secret as it is defined by OAuth 2.0, because like you said, anyone could see it by inspecting the code.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With