1 month ago

OAuth 2.0 Password Grant Type: Is client secret safe?

Posted 1 month ago by rifqi96

Hi, I'm developing an app which has a backend as the API provider and a frontend client that consumes the API from backend. I'm using laravel passport for the OAuth matters and using password grant type.

Since password grant type requires client id and client secret to be sent out along the request body when getting the token, my frontend has to keep the client credentials and it can actually be exposed through the network tab on the browsers.

My question is, is this a safe way to do it? Or is it better to have my own login api endpoint to proxy the oauth/token route from passport? What is the best practice for such case? And what's the worst scenario could happen if people get my client secret? As far as I concern, you can't do much anyway with the client secret cmiiw.

I believe this is a common problem developers encounter. I hope I can have the answer, please share! Thank you! :)

Please sign in or create an account to participate in this conversation.