This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to properly use Client ID/Secret for browser applications?

Posted on 02-24-2016 07:15 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I'm relatively new to using OAuth. I'm developing a browser based web application and was wondering what the best way is to hide the client ID/secret. Obviously, I don't want to put those in the client code where anyone can view them. Right now, I have my javascript application directly call APIs on Edge with a username and password to request an access token. I can embed the client ID/secret on Edge and add them to any incoming requests. That way they aren’t exposed to the user. But it seems like any 3rd party can still access my APIs. I’ve read that often they will be placed on a web server in between client requests and the Edge layer, but doesn’t this have the same problem as directly embedding the response on Edge? What’s the best way to use the client ID and secret?

Solved Solved
2 6 11.5K
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

@Hansford Hendargo very good question. Implementing OAuth for a client side app without a server component is alway challenging and exposes certain vulnerabilities depending on your app.

Here's a very interesting article about the same, which also talks about a proxy layer which is exactly what Edge is providing. Please take a look: http://alexbilbie.com/2014/11/oauth-and-javascript/

Let me know, if this makes sense and answers your question about OAuth and client side apps.

View solution in original post

Jump to Solution
6 REPLIES 6
Top Solution Authors
View all