client_id is totally visible in the bundle.js

Question

client_id is totally visible in the bundle.js

j2l opened this issue 3 years ago · 3 comments

Simply visit http://localhost:5000/build/bundle.js and search for client_id

Answer 1 · 2021-12-16T15:05:21.000Z

Yes, that is how it works. Here are some resources you can use to educate yourself about OAuth/OIDC and security related to what is exposed to the browser in different authorization flows.

https://openid.net/specs/openid-connect-core-1_0.html
https://datatracker.ietf.org/doc/html/rfc7636
https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce
https://auth0.com/docs/authorization/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce

Answer 2 · 2021-12-16T15:22:36.000Z

I was not mean but hey, you can use the auth0 svelte code and tutorial to educate yourself. It does the same stuff without the need for additional packages.
I frankly hoped that yours was doing it differently.

Answer 3 · 2021-12-16T23:42:54.000Z

The client_id is not a secret. There is no need to hide or obfuscate it in an spa.