mrv
May 9, 2023, 11:49pm
1
Hello,
I’ve successfully integrated my React application with Okta! However, I have a question regarding security best practices. Specifically, I’m wondering what the best approach is for keeping the client ID confidential and protect it from user access?
Thanks
erik
May 10, 2023, 4:37am
2
Hello,
Typically the client_id
is not considered a secret as it will be visible in the browsers network tab during an /authorize call.
Thank You,
2 Likes
mrv
May 10, 2023, 7:59pm
3
Thank you @erik .
I was reading the Authorization Code flow for web and native client types of GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API and and I saw this:
Web and native clients can obtain tokens using the authorization_code
flow which uses a client secret stored in a secure location
I thought that client_id is considered a secret.
erik
May 12, 2023, 5:46am
4
client_id and client_secret are separate.
Public Apps (SPA / FE / Native) won’t have a client_secret, instead they will use PKCE
Private Apps (Web) will make use of a client_secret since they can securely store it.
1 Like
mrv
May 12, 2023, 6:33am
5
Thanks for your clarification.