Is it safe to expose client_id, client_secret, and audience on HTML pages?

Brng · May 27, 2018, 4:19am

In the page to obtain a JWT, the jQuery code snippet looks like this:

var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://xyz.auth0.com/oauth/token",
  "method": "POST",
  "headers": {
    "content-type": "application/json"
  },
  "data": "{\"client_id\":\"...\",\"client_secret\":\"...\",\"audience\":\"...\",\"grant_type\":\"client_credentials\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});

Is it safe to expose client_id, client_secret, and audience on the HTML page(s) of production applications?

luis.rudge · May 27, 2018, 7:33am

client_id: yes. client_secret, absolutely not. We encode tokens with that secret, so, anyone having this secret can emit tokens that your application will think it’s safe.

Also, from a web page, you shouldn’t be calling the oauth/token endpoint. Please follow our jquery quick starts: https://auth0.com/docs/quickstart/spa/jquery/01-login

Brng · July 6, 2018, 11:34am

Luis,

What about the unique audience ID? Is it safe to be exposed?

Screenshot%20from%202018-07-06%2021-34-14

luis.rudge · July 6, 2018, 2:22pm

Yeah, that’s fine. You’ll probably expose the url by making request to it anyway.