Auth0 Community

PKCE Flow risk of exposing publicly authDomain and clientId

olblak June 1, 2023, 6:49am 1

Hi,

I am currently experimenting building a cli which would authenticate on an API using the PKCE flow.
At the moment I have something like

mycli login --oauth-authDomain "example.auth0.com" --oauth-clientId "xxx" "example.com"

and I am considering exposing publicly the authDomain and the clientID via the API so I could simplify to something like

mycli login "example.com"

So my question, is there any security risk to expose publicly the auth domain and the clientid?
They are the same for anyone using the application anyway
Is there a better way to authenticate on an API than using the PKCE flow?

dan.woda June 13, 2023, 12:38pm 3

Welcome to the Auth0 Community!

The domain and client ID are designed to be shared with the client and have exposed to the end user in the PKCE flow.

Hope that helps!

1 Like

system Closed June 29, 2023, 2:52pm 4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Does Authorization Code Flow with PKCE expose the Access Token to the client? Help documentation-request , customer-feedback	4	451	February 22, 2024
OAuth Flow Selection when a server is used for a standard web app and an API Help authorization-code-f , pkce , python , oauth2	4	2971	December 8, 2020
Authorization Code Flow with PKCE .NetCore Help	2	2509	December 22, 2022
Authorization Code Flow with PKCE utilizing package Auth0.AspNetCore.Authentication Help aspnet-core , pkce	7	4321	March 24, 2022
Authorization code flow without client-secret? Help code	5	12491	December 6, 2019