Protect Client ID from user access

mrv · May 9, 2023, 11:49pm

Hello,

I’ve successfully integrated my React application with Okta! However, I have a question regarding security best practices. Specifically, I’m wondering what the best approach is for keeping the client ID confidential and protect it from user access?

Thanks

erik · May 10, 2023, 4:37am

Hello,

Typically the client_id is not considered a secret as it will be visible in the browsers network tab during an /authorize call.

Thank You,

mrv · May 10, 2023, 7:59pm

Thank you @erik.

I was reading the Authorization Code flow for web and native client types of GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API and and I saw this:

Web and native clients can obtain tokens using the authorization_code flow which uses a client secret stored in a secure location

I thought that client_id is considered a secret.

erik · May 12, 2023, 5:46am

client_id and client_secret are separate.

Public Apps (SPA / FE / Native) won’t have a client_secret, instead they will use PKCE
Private Apps (Web) will make use of a client_secret since they can securely store it.

mrv · May 12, 2023, 6:33am

Thanks for your clarification.

Post		Replies	Views
Is it possible to get a client id/secret for every user instead of app OAuth/OIDC	2	3091	December 11, 2022
Is clientId for an App confidential? Questions	2	5942	August 5, 2019
Is authorization server id or client id supposed to be secret? OAuth/OIDC	2	5496	June 6, 2023
Where do i find Client Secret Questions	6	14391	January 17, 2024
Single page App - where to find the client secret? Questions	2	6298	April 2, 2021

Protect Client ID from user access

Related topics