问题
I've been using Auth0 to build the front-end user authentication part of my site, but am unsure if I should be following the documentation exactly.
If I want to build a commercial product, should I be hiding the client ID and domain? Is this something that would lead to a security breach?
Currently anyone can view my Angular2 source code and look at the client ID and domain.
回答1:
The client identifier and your domain (which I'm assuming you're referring to the assigned Auth0 domain similar to [account].auth0.com) are both considered information that does not need to be kept secret.
The domain represents the entity handling the authentication; the equivalent of accounts.google.com for your application.
The client identifier is defined within the OAuth 2.0 specification which clearly indicates that is not confidential information:
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
In browser-based or other application where the actual code is located in a client environment it's unavoidable to have information stored there for authentication purposes. You just need to be sure that the information stored is okay to be disclosed like it is with the two examples you gave.
On the other hand these types of application could not securely use a client secret as it is defined by OAuth 2.0, because like you said, anyone could see it by inspecting the code.
来源:https://stackoverflow.com/questions/40354720/angular2-with-auth0-do-i-need-to-hide-my-clientid-and-domain