Concerns Regarding client_secret Exposure in Client-Side Applications
#1188
Comments
|
Very true, in case you can not protect a |
|
Thanks for your answer @pamapa! I initially questioned the necessity of keeping certain secrets private, given the library is solely for browser use, suggesting perhaps those secrets might not require stringent protection. However, a significant challenge has arisen: the authentication provider in question does not support PKCE code flow. This absence necessitates an alternative method to securely authenticate users, hence my proposal to override To address this, I propose the implementation of a function capable of:
This approach is particularly vital for the application I'm developing, aimed at a marketplace. It requires that users authenticate with the original application to obtain an access token. This token, in turn, enables my application to securely interact with the parent application's API, ensuring a secure and seamless integration. |
This library and the underlying library has a strong focus on PKCE code flow, respectively on OAuth2.0. I do not intent to support anything else. BTW: even if you acquire an access_token from the API within the browser context you are exposing it to a potential attacker.... even if it is only part of the memory for a very short time. |
|
React apps are usually assigned a "public" client which does not require a client_secret, and instead relies on PKCE code flow mentioned like @pamapa said. Now... @swiiny I ran into a similar situation years ago on a project where the identity provider did not support PKCE code flow. Our workaround then was to add a "pass through" api to one of our backend services. It essentially intercepted the request from the React app, then added the client_secret to the request and forwarded it along to the identity provider. |
|
@pamapa (or @zach-betz-hln ) I was just about to ask a similar question but saw this one, so I figure I'd jump in: I'm looking to integrate my React app (using this library) with Keycloak using Authorization Code with PKCE. I was able to get a basic integration flow with Keycloak working using the code examples in your READE (so thank you!). Does this library use PKCE by default (meaning do the code examples in your README essentially create an Authorization Code w/ PKCE flow by default) or are there other configurations/code I'd need to implement to leverage PKCE? Thanks again! |
Yes, best practice (Authorization Code w/ PKCE) is the default. |
Thanks @pamapa , my understanding was that, with PKCE, when the user authenticates, a hashed Code Challenge is sent to the authorization server, along with the Hashing Method (SHA-256, etc.). And then, on each subsequent request for a token, the client sends over a Code Verifier, which is the plaintext version of the hashed Code Challenge. If the server supports Authorization Code w/ PKCE, it will hash the Code Verifier with the indicated Hashing Method and compare it to the Code Challenge. If they match, the token request is granted, etc. Where and how do I set these (the Code Challenge and Code Verifier) in |
They are part of the underling library. Have a look at oidc-client-ts. e.g. https://github.com/authts/oidc-client-ts/blob/main/src/utils/CryptoUtils.ts |
|
Thanks again @pamapa , so just verifying, it looks like there's nothing I need to explicitly set, this library will generate and send Code Challenges/Verifiers automatically for me using |
Yes! For you to verify:
In case you want to see the process you can enable logging like described here: https://authts.github.io/oidc-client-ts/#md:logging |
Indeed it's a client only library so I was surprised to see the ability to provide the client_secret directly. It could be a good idea to add a warning in case of someone not aware about the risks try to use this package. I'll check to implement a |
|
@swiiny out of curiosity, what identity provider are you using that doesn't support Authorization Code w/ PKCE flow ? |
|
@zach-betz-hln it is with this API https://docs.bexio.com/ Thanks for #1208! 👀 |
|
I see what you mean... From their Authentication docs in the Authorization Code Flow section:
For this step:
In order to remove the Roughly:
|
|
Hey @zach-betz-hln, thanks for your answer! Being able to override the default call to |
|
Hey @swiiny I should have been more specific. The workaround I had in mind was to put your identity provider behind a reverse proxy (nginx, apache, etc.). Then when the I realize your original ask was for a way to override the call through this library's api, which I can't speak to. |
description
I have identified a potential security concern related to the handling of the
client_secretwithin a client-side application. Currently, theclient_secretis included in the client-side code, making it accessible from the user's browser. This practice may expose us to security risks, including unauthorized access and potential misuse of theclient_secret. I aim to assess the associated risks and explore more secure alternatives if necessary.The client_secret is a sensitive piece of information intended to authenticate the client application to the server, ensuring that requests made to the server are from a trusted source. In traditional server-side applications, the client_secret is securely stored on the server and is not exposed to the public. However, in our case, the
client_secretis included in the JavaScript bundle sent to the client, making it accessible to anyone who inspects the browser's resources.Potential Risks
client_secretclient-side may violate security compliance requirements or best practices, potentially leading to legal or reputational repercussions.Questions and Next Steps
https://<provider>/tokenendpoint to call our backend instead of doing it client side?The text was updated successfully, but these errors were encountered: