What is the best way to handle the
client_secret in a first-party web or mobile application? Right now I have an API built in Laravel using Passport and a few first party consumers of this API. It is said to be insecure to leak or pass the
client_secret in a web/mobile application but I don't know how you can request a
password grant without passing the
/oauth/token. The only other way I can think of doing this would be to do a server-side curl request for the web (like a proxy) but this won't work in a mobile environment.
Is it safe to pass the
/oauth/client from a client-side call (via Axios)?