React provider exposes client id?

rkevinburton · July 1, 2020, 4:45am

I would like to hide my client id and client domain in my react application. From the quick start I see something like:

ReactDOM.render(
  <Auth0Provider
    domain="-- MY DOMAIN --"
    clientId="-- MY CLIENT ID --"
    redirectUri={window.location.origin}
  >
    <App />
  </Auth0Provider>,
  document.getElementById("root")
);

But it seems that using this code the client id and domain are exposed in the code. For example if I were to check this code into GitHub my client id and domain would be in public view. What are common strategies for hiding these types of secrets?
Thank you.
Kevin

dan.woda · July 1, 2020, 7:53pm

Hi @rkevinburton,

You can see how we handle it in our react example:

github.com

auth0-samples/auth0-react-samples/blob/41d2e133a9f96c74d0c5f8656fdf96a1054124a6/Sample-01/src/index.js#L19


      
          
          
const onRedirectCallback = (appState) => {
            history.push(
              appState && appState.returnTo
                ? appState.returnTo
                : window.location.pathname
            );
          };
          
          
ReactDOM.render(
            <Auth0Provider
              domain={config.domain}
              clientId={config.clientId}
              audience={config.audience}
              redirectUri={window.location.origin}
              onRedirectCallback={onRedirectCallback}
            >
              <App />
            </Auth0Provider>,
            document.getElementById("root")
          );

We use a seperate file to store these variables, called auth_config.json.

Keep in mind, these variables will inevitably make it into the frontend and be exposed to anyone who attempts to log in to your app. They aren’t technically secret, but keeping them out of repos is something I typically do regardless.

Hope this helps!
Dan

rkevinburton · July 2, 2020, 12:59pm

Thank you for your help. When/Where is he ‘config’ variable’ initialized? In a TypeScript environment the config variable gets a red squiggly indicating an error.

Regards,
Kevin

dan.woda · July 2, 2020, 5:45pm

Did you import config from "./auth_config.json";? (Or whatever relative path you are using)

system · July 17, 2020, 5:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
React <Auth0Provider/>, how to pass params from server Help auth0	4	2141	June 28, 2022
Auth0 Application Client Secret Help auth0-react , sdks-quickstarts	2	35	August 30, 2024
React sdk - how to hide default provider screen? Help login-experience , new-universal-login-experience	0	113	June 13, 2024
Are application keys (domain and cliendID) supposed to be kept secret? Help auth0	3	3189	March 30, 2020
Is it safe to only use React with Auth0? Help auth0	8	3716	April 22, 2022

React provider exposes client id?

Related topics