I’m having a React single page application and a web API which is authenticated. The authentication is all set up and I’m able to make authenticated requests from my web app to my web API.
However, the issue that I’m facing now concerns the cloud deployment of my app. On the client side, I need my auth0 domain, my auth0 clientId, callback URL, API audience to create the Auth0 web login. I’m avoiding hardcoding these details as a JS object in my source code and check it into source control.
If I add an unauthenticated API on my API code to provide me these details and call this API endpoint first to get these values on client side and then redirect to Auth0 for the login screen with the details fetched, is it safe? My concern is that anyone can access these details since it will be an unauthenticated API.
I feel it’s a common enough problem to be faced by many people. How do you tackle this?