Hello! I am working with Auth0 for the first time; the project is an open-source one whose code will be stored in GitHub repositories. The project structure is a SPA (written in React/Redux) with a .NET Core backend API; the SPA uses the Lock widget to do initial authentication and obtain an access token, which is then provided as a bearer token in the header of requests to the API.
Auth management is not my specialty (hence my excitement about Auth0!) and I’m trying to figure out best practices and make sure I don’t do anything dumb.
Right now, as I see it, I am using the following pieces of potentially sensitive information relating to Auth0:
- The Auth0 domain value (xxxxx.auth0.com), used both in my SPA and API.
- The Auth0 client ID value (gibberish string), used in my SPA application.
- The Auth0 API identifier value (a URL string), used in my API.
Which of these am I safe to keep in source control and which should absolutely be kept secret? At the moment, my plan is that I have two tenants, one for the dev environment and one for prod; the dev tenant info is kept in source control and anyone can use it to spin up the application locally and hack on it, while the prod tenant info is kept hidden in environment variables in our CI/hosting servers. Is this a safe approach to take or should I be restricting the information more carefully?
Thanks for any insight!