Is exposing client secret a threat for implicit grant type in oauth 2?
I have an application which needs to implement oauth 2 for securing rest API. The simple flow will be when a user logs in they should have access to some protected resources ( as per their role).
I will be using angular 7 as front end.
as per this diagram I need to use implicit grant for Single Page Applications. 
now i went on to search and found https://www.devglan.com/spring-security/spring-boot-oauth2-angular
API Name - Login
Method - POST
URL - oauth/login
Header - 'Authorization': 'Basic ' + btoa('devglan-client:devglan-secret')
Body - {'username' :'admin ',
'password' :'admin',
'grant_type': 'password' }
Content-type: application/x-www-form-urlencoded
Now my only concern in this approach is.
i. why this client id and client secret are revealed in angular code ? is client secret not supposed to be kept secret ?
java angular spring-boot spring-security-oauth2
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
add a comment |
I have an application which needs to implement oauth 2 for securing rest API. The simple flow will be when a user logs in they should have access to some protected resources ( as per their role).
I will be using angular 7 as front end.
as per this diagram I need to use implicit grant for Single Page Applications.
now i went on to search and found https://www.devglan.com/spring-security/spring-boot-oauth2-angular
API Name - Login
Method - POST
URL - oauth/login
Header - 'Authorization': 'Basic ' + btoa('devglan-client:devglan-secret')
Body - {'username' :'admin ',
'password' :'admin',
'grant_type': 'password' }
Content-type: application/x-www-form-urlencoded
Now my only concern in this approach is.
i. why this client id and client secret are revealed in angular code ? is client secret not supposed to be kept secret ?
java angular spring-boot spring-security-oauth2
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
add a comment |
I have an application which needs to implement oauth 2 for securing rest API. The simple flow will be when a user logs in they should have access to some protected resources ( as per their role).
I will be using angular 7 as front end.
as per this diagram I need to use implicit grant for Single Page Applications.
now i went on to search and found https://www.devglan.com/spring-security/spring-boot-oauth2-angular
API Name - Login
Method - POST
URL - oauth/login
Header - 'Authorization': 'Basic ' + btoa('devglan-client:devglan-secret')
Body - {'username' :'admin ',
'password' :'admin',
'grant_type': 'password' }
Content-type: application/x-www-form-urlencoded
Now my only concern in this approach is.
i. why this client id and client secret are revealed in angular code ? is client secret not supposed to be kept secret ?
java angular spring-boot spring-security-oauth2
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
I have an application which needs to implement oauth 2 for securing rest API. The simple flow will be when a user logs in they should have access to some protected resources ( as per their role).
I will be using angular 7 as front end.
as per this diagram I need to use implicit grant for Single Page Applications.
now i went on to search and found https://www.devglan.com/spring-security/spring-boot-oauth2-angular
API Name - Login
Method - POST
URL - oauth/login
Header - 'Authorization': 'Basic ' + btoa('devglan-client:devglan-secret')
Body - {'username' :'admin ',
'password' :'admin',
'grant_type': 'password' }
Content-type: application/x-www-form-urlencoded
Now my only concern in this approach is.
i. why this client id and client secret are revealed in angular code ? is client secret not supposed to be kept secret ?
java angular spring-boot spring-security-oauth2
java angular spring-boot spring-security-oauth2
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
asked Jan 20 at 3:07
sagar limbusagar limbu
4291622
4291622
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
We don't need any secret key to implement the implicit grant flow in the js applications.
You can see the following http url sample which needs few things such as client_id, redirect_uri etc.
We will get the access token in the url fragment of the redirect_uri, and this token authenticates you to access protected resources. However, scope parameter also plays an important to determine resources and its entitlements.
Http Request URI
https://YOUR_AUTH0_DOMAIN/authorize?
audience=YOUR_API_AUDIENCE&
scope=YOUR_SCOPE&
response_type=YOUR_RESPONSE_TYPE&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
nonce=YOUR_CRYPTOGRAPHIC_NONCE&
state=YOUR_OPAQUE_VALUE
I will highly suggest to go with Authorization Code Grant with PKCE even for the js applications because the access token is vulnerable to various security risks. With PKCE, the attacker needs to solve the puzzle (code challenge) in order to get the access token.
answered Jan 20 at 5:11
sanjeevsanjeev
8114
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54273257%2fis-exposing-client-secret-a-threat-for-implicit-grant-type-in-oauth-2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
We don't need any secret key to implement the implicit grant flow in the js applications.
You can see the following http url sample which needs few things such as client_id, redirect_uri etc.
We will get the access token in the url fragment of the redirect_uri, and this token authenticates you to access protected resources. However, scope parameter also plays an important to determine resources and its entitlements.
Http Request URI
https://YOUR_AUTH0_DOMAIN/authorize?
audience=YOUR_API_AUDIENCE&
scope=YOUR_SCOPE&
response_type=YOUR_RESPONSE_TYPE&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
nonce=YOUR_CRYPTOGRAPHIC_NONCE&
state=YOUR_OPAQUE_VALUE
I will highly suggest to go with Authorization Code Grant with PKCE even for the js applications because the access token is vulnerable to various security risks. With PKCE, the attacker needs to solve the puzzle (code challenge) in order to get the access token.
answered Jan 20 at 5:11
sanjeevsanjeev
8114
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
add a comment |
We don't need any secret key to implement the implicit grant flow in the js applications.
You can see the following http url sample which needs few things such as client_id, redirect_uri etc.
We will get the access token in the url fragment of the redirect_uri, and this token authenticates you to access protected resources. However, scope parameter also plays an important to determine resources and its entitlements.
Http Request URI
https://YOUR_AUTH0_DOMAIN/authorize?
audience=YOUR_API_AUDIENCE&
scope=YOUR_SCOPE&
response_type=YOUR_RESPONSE_TYPE&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
nonce=YOUR_CRYPTOGRAPHIC_NONCE&
state=YOUR_OPAQUE_VALUE
I will highly suggest to go with Authorization Code Grant with PKCE even for the js applications because the access token is vulnerable to various security risks. With PKCE, the attacker needs to solve the puzzle (code challenge) in order to get the access token.
answered Jan 20 at 5:11
sanjeevsanjeev
8114
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
add a comment |
We don't need any secret key to implement the implicit grant flow in the js applications.
You can see the following http url sample which needs few things such as client_id, redirect_uri etc.
We will get the access token in the url fragment of the redirect_uri, and this token authenticates you to access protected resources. However, scope parameter also plays an important to determine resources and its entitlements.
Http Request URI
https://YOUR_AUTH0_DOMAIN/authorize?
audience=YOUR_API_AUDIENCE&
scope=YOUR_SCOPE&
response_type=YOUR_RESPONSE_TYPE&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
nonce=YOUR_CRYPTOGRAPHIC_NONCE&
state=YOUR_OPAQUE_VALUE
I will highly suggest to go with Authorization Code Grant with PKCE even for the js applications because the access token is vulnerable to various security risks. With PKCE, the attacker needs to solve the puzzle (code challenge) in order to get the access token.
answered Jan 20 at 5:11
sanjeevsanjeev
8114
We don't need any secret key to implement the implicit grant flow in the js applications.
You can see the following http url sample which needs few things such as client_id, redirect_uri etc.
We will get the access token in the url fragment of the redirect_uri, and this token authenticates you to access protected resources. However, scope parameter also plays an important to determine resources and its entitlements.
Http Request URI
https://YOUR_AUTH0_DOMAIN/authorize?
audience=YOUR_API_AUDIENCE&
scope=YOUR_SCOPE&
response_type=YOUR_RESPONSE_TYPE&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
nonce=YOUR_CRYPTOGRAPHIC_NONCE&
state=YOUR_OPAQUE_VALUE
I will highly suggest to go with Authorization Code Grant with PKCE even for the js applications because the access token is vulnerable to various security risks. With PKCE, the attacker needs to solve the puzzle (code challenge) in order to get the access token.
answered Jan 20 at 5:11
sanjeevsanjeev
8114
answered Jan 20 at 5:11
sanjeevsanjeev
8114
answered Jan 20 at 5:11
sanjeevsanjeev
8114
answered Jan 20 at 5:11
sanjeevsanjeev
8114
8114
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
add a comment |
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
are you talking about something like openid and okta ?
– sagar limbu
Jan 20 at 5:41
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54273257%2fis-exposing-client-secret-a-threat-for-implicit-grant-type-in-oauth-2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
