Is there a need to specifically protect the clientId or is it ok if someone else were to know it?
We are considering a browser based javascript with sign in widget that requires clientId for OIDC connection. Is there a definitive need to move over to server side js file?
THe only concern is a malicious individual replicating our website to trick users into giving him/her their login credentials.
The client ID can be provided safely to your users client side. In order to do a successful OpenID Connect flow, Okta needs to send the JWT tokens to a specific callback mentioned on the initial request to the authorization endpoint. This URL needs to be whitelisted in the OpenID Connect application in Okta under Admin >> Applications >> openid app >> General >> Login Redirect URIs.
Any attempts to modify the callback endpoint without whitelisting it in the application’s settings will result in an error on Okta’s end, preventing as such possible phishing attempts.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.