I was following the react sdk setup guide: Auth0 React SDK Quickstarts: Login
This to me seems like the browser would receive the client secret since it is talking directly to Auth0.
My question is this recommended or should I be proxying these requests to hide the client secret?
When using the Auth0 React SDK for authentication, the client secret should not be exposed to the browser or any frontend application. The client secret is a sensitive piece of information that should be kept secure and only accessible by your backend server.
Recommendation
For frontend applications using the Auth0 React SDK:
- Do not expose the client secret to the browser.
- Use the Authorization Code Flow with PKCE, which is designed for SPAs and ensures that the client secret remains on the server side.
- If you need to make requests that require the client secret, proxy those requests through a backend server where the client secret is securely stored.
Thanks for the reply, so by default does the auth0-react client expose the client secret to the browser?