We are going through a security audit and it was flagged that we have some configs expose in the config.json URL. I haven’t seen any examples of the Angular package configuring those values there, I’m hoping to get some feedback on how unsecure it is to have those values being public. We do have our app behind a VPN so it’s not wide open out on the internet but still I think it could be unsafe.
Update: I do see these values in the config in the Okta sampler app so I do think it’s ok but any feedback would be great. samples-js-angular/okta-hosted-login/src/app/app.config.ts at master · okta/samples-js-angular · GitHub
Hi there @jschindler !
Thanks for checking; this can definitely be a source of confusion!
Certain configuration values, such as the issuer, scopes, and client ID aren’t secrets. See this section from the OAuth 2.0 spec:
The authorization server issues the registered client a client
identifier – a unique string representing the registration
information provided by the client. The client identifier is not a
secret; it is exposed to the resource owner and MUST NOT be used
alone for client authentication.
Angular apps are considered public clients, so there’s no expectation of confidentiality. We can inspect code, see network requests, look at token storage, etc. This is why authorization servers can’t issue a secret value to SPAs.
You’ll want to ensure you have the correct application type configured in Okta and that your public configuration truly doesn’t contain a secret value.
I’ll link our guide for the Angular quickstart demonstrating the configuration values in public clients.
Happy coding!
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.