8 months ago

Securely handling client_secret Passport

Posted 8 months ago by BillRiess

What is the best way to handle the client_secret in a first-party web or mobile application? Right now I have an API built in Laravel using Passport and a few first party consumers of this API. It is said to be insecure to leak or pass the client_secret in a web/mobile application but I don't know how you can request a password grant without passing the client_secret to /oauth/token. The only other way I can think of doing this would be to do a server-side curl request for the web (like a proxy) but this won't work in a mobile environment.

Is it safe to pass the client_secret to /oauth/client from a client-side call (via Axios)?

Please sign in or create an account to participate in this conversation.