Auth0 Application Client Secret

oliver.jackson · August 30, 2024, 10:54am

I was following the react sdk setup guide: Auth0 React SDK Quickstarts: Login

This to me seems like the browser would receive the client secret since it is talking directly to Auth0.

My question is this recommended or should I be proxying these requests to hide the client secret?

kostetskyroma · August 30, 2024, 11:14am

When using the Auth0 React SDK for authentication, the client secret should not be exposed to the browser or any frontend application. The client secret is a sensitive piece of information that should be kept secure and only accessible by your backend server.

Recommendation

For frontend applications using the Auth0 React SDK:

Do not expose the client secret to the browser.
Use the Authorization Code Flow with PKCE, which is designed for SPAs and ensures that the client secret remains on the server side.
If you need to make requests that require the client secret, proxy those requests through a backend server where the client secret is securely stored.

oliver.jackson · August 30, 2024, 11:24am

Thanks for the reply, so by default does the auth0-react client expose the client secret to the browser?