Is authorization server id or client id supposed to be secret?

Naive question:

Is exposing my custom authorization server’s id or my application’s clientId a security vulnerability? If anyone has these two things can they blast my rate limits with calls to the authorization server? Can they do that anyways through my login route in my application and so it’s unnecessary to protect the clientId and authz server id? How can I better understand what Okta-related information is sensitive?

Hi @mmd

In the context of Okta and OAuth 2.0/OpenID Connect, your client id and authorization server id are not considered secrets. They are often publicly accessible as they’re needed for the OAuth flow. The client secret, however, should remain confidential. Even if someone has your client id and authorization server id, they can’t abuse your rate limits without a valid user’s credentials or the client secret. Okta has built-in protections against rate limit abuse.

See here for security measures Okta and you can take:

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.