Auth0 Application Client Secret

oliver.jackson · August 30, 2024, 10:54am

I was following the react sdk setup guide: Auth0 React SDK Quickstarts: Login

This to me seems like the browser would receive the client secret since it is talking directly to Auth0.

My question is this recommended or should I be proxying these requests to hide the client secret?

kostetskyroma · August 30, 2024, 11:14am

When using the Auth0 React SDK for authentication, the client secret should not be exposed to the browser or any frontend application. The client secret is a sensitive piece of information that should be kept secure and only accessible by your backend server.

Recommendation

For frontend applications using the Auth0 React SDK:

Do not expose the client secret to the browser.
Use the Authorization Code Flow with PKCE, which is designed for SPAs and ensures that the client secret remains on the server side.
If you need to make requests that require the client secret, proxy those requests through a backend server where the client secret is securely stored.

oliver.jackson · August 30, 2024, 11:24am

Thanks for the reply, so by default does the auth0-react client expose the client secret to the browser?

Topic		Replies	Views
Is it safe to only use React with Auth0? Help auth0	8	3716	April 22, 2022
Storing client secret in SPA Help security , client-secret	2	12175	August 30, 2019
Is it okay to have auth0 client information accessible over a public API? Help auth0 , client , public	5	6868	March 2, 2018
Build own SDK for auth, which uses auth0 under the hood Feedback auth0 , spa	0	711	September 18, 2023
Auth0 React - Server Side Login Help	0	1784	April 15, 2022

Auth0 Application Client Secret

Recommendation

Related Topics