react-oauth2-example icon indicating copy to clipboard operation
react-oauth2-example copied to clipboard

Published 20 hours ago verified publisher icon shinework

Security issue

Open robcalcroft opened this issue 9 years ago • 2 comments

How is this secure? You're client_id and client_secret are exposed in bundle.js

robcalcroft avatar Feb 05 '16 22:02 robcalcroft

It uses password grant type, we can't get token without valid credential. But if you want hide the client id and secret you can add them on the fly within your Nginx conf:

location ~ ^/oauth/v2/token$ {
      try_files $uri /$app$is_args$args&client_id=CLIENTID&client_secret=CLIENTSECRET;
}

baptadn avatar Jul 26 '16 07:07 baptadn

Isn't this a client bundle? You can't hide client secret in environment if the environment is the users browser. Am I mistaken?

mxmzb avatar Dec 05 '17 02:12 mxmzb