Auth0 Community

PKCE Flow risk of exposing publicly authDomain and clientId

olblak June 1, 2023, 6:49am 1

Hi,

I am currently experimenting building a cli which would authenticate on an API using the PKCE flow.
At the moment I have something like

mycli login --oauth-authDomain "example.auth0.com" --oauth-clientId "xxx" "example.com"

and I am considering exposing publicly the authDomain and the clientID via the API so I could simplify to something like

mycli login "example.com"

So my question, is there any security risk to expose publicly the auth domain and the clientid?
They are the same for anyone using the application anyway
Is there a better way to authenticate on an API than using the PKCE flow?

dan.woda June 13, 2023, 12:38pm 3

Welcome to the Auth0 Community!

The domain and client ID are designed to be shared with the client and have exposed to the end user in the PKCE flow.

Hope that helps!

1 Like

system Closed June 29, 2023, 2:52pm 4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Are application keys (domain and cliendID) supposed to be kept secret? Help auth0	3	3190	March 30, 2020
PKCE Authorization code grant without using browser agent? Help	2	3819	September 5, 2019
Using Authorization Code Flow with PKCE with non-native apps Help	4	3402	July 5, 2019
Authorization Code Flow with PKCE .NetCore Help	2	2512	December 22, 2022
How to authenticate SPA against API without User login Help	4	3781	November 22, 2019