To integrate Auth0 with a Blazor Webassembly project, I followed a tutorial, provided by Auth0. It is a clear and good topic but I have some feedback on it. In Blazor it is not possible to keep settings secret in an appsettings.json file. The file is accessible from the browser just by typing appsettings.json behind the domain. When doing this after following the tutorial the ClientId and ClientSecret are not secret anymore. Maybe it is a good idea to adjust the article or add guidance to solve this in a good way.
Hello @r.alblas,
Thanks for appreciating my tutorial and for your feedback about security.
I have a few observations about your concerns.
The tutorial doesn’t use any client secret. A Blazor WASM app is a SPA and technically it’s called a public client. You should never use a client secret in a public client.
The app uses the Authorization Code Flow with PKCE to get the tokens it needs. For this flow, it only uses the Auth0 domain and the client ID, which are the data stored in the appsettings.json file.
The Auth0 domain and the client ID are not considered secrets. They are public data. Even if you protect the appsettings.json file, anyone can analyze the HTTP traffic and obtain them when the app calls the /authorize endpoint.
Of course, there are best practices for storing secrets in a production environment. If you are concerned about the Auth0 domain and client ID settings anyway, you may want to use these best practices as well. Here are a couple of articles about secret management in .NET and Azure. But keep in mind that you are not actually protecting them.