Is it safe to expose Okta clientId in a public repository?
up vote
0
down vote
favorite
To configure Okta authentication in a Angular application it is needed to add a config variable with the settings for your OIDC app in the app.module.ts file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId} is replaced by the actual clientId.
Pushing this application to a public repository would mean that the clientId is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey. But I'm not sure if Okta's clientId uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId which makes me assume that there is no problem with sharing the clientId. Is this indeed the case?
angular okta
asked Nov 22 at 8:56
Bas de Groot
540115
add a comment |
up vote
0
down vote
favorite
To configure Okta authentication in a Angular application it is needed to add a config variable with the settings for your OIDC app in the app.module.ts file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId} is replaced by the actual clientId.
Pushing this application to a public repository would mean that the clientId is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey. But I'm not sure if Okta's clientId uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId which makes me assume that there is no problem with sharing the clientId. Is this indeed the case?
angular okta
asked Nov 22 at 8:56
Bas de Groot
540115
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
To configure Okta authentication in a Angular application it is needed to add a config variable with the settings for your OIDC app in the app.module.ts file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId} is replaced by the actual clientId.
Pushing this application to a public repository would mean that the clientId is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey. But I'm not sure if Okta's clientId uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId which makes me assume that there is no problem with sharing the clientId. Is this indeed the case?
angular okta
asked Nov 22 at 8:56
Bas de Groot
540115
To configure Okta authentication in a Angular application it is needed to add a config variable with the settings for your OIDC app in the app.module.ts file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId} is replaced by the actual clientId.
Pushing this application to a public repository would mean that the clientId is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey. But I'm not sure if Okta's clientId uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId which makes me assume that there is no problem with sharing the clientId. Is this indeed the case?
angular okta
angular okta
asked Nov 22 at 8:56
Bas de Groot
540115
asked Nov 22 at 8:56
Bas de Groot
540115
asked Nov 22 at 8:56
Bas de Groot
540115
asked Nov 22 at 8:56
Bas de Groot
540115
asked Nov 22 at 8:56
Bas de Groot
540115
540115
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
answered Nov 22 at 16:11
Matt Raible
2,76362972
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
answered Nov 22 at 16:11
Matt Raible
2,76362972
add a comment |
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
answered Nov 22 at 16:11
Matt Raible
2,76362972
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
answered Nov 22 at 16:11
Matt Raible
2,76362972
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
answered Nov 22 at 16:11
Matt Raible
2,76362972
answered Nov 22 at 16:11
Matt Raible
2,76362972
answered Nov 22 at 16:11
Matt Raible
2,76362972
answered Nov 22 at 16:11
Matt Raible
2,76362972
2,76362972
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427123%2fis-it-safe-to-expose-okta-clientid-in-a-public-repository%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
