Is it safe to expose Okta clientId in a public repository?
up vote
0
down vote
favorite
To configure Okta authentication in a Angular application it is needed to add a config
variable with the settings for your OIDC
app in the app.module.ts
file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId}
is replaced by the actual clientId
.
Pushing this application to a public repository would mean that the clientId
is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey
used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey
. But I'm not sure if Okta's clientId
uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId
which makes me assume that there is no problem with sharing the clientId
. Is this indeed the case?
angular okta
add a comment |
up vote
0
down vote
favorite
To configure Okta authentication in a Angular application it is needed to add a config
variable with the settings for your OIDC
app in the app.module.ts
file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId}
is replaced by the actual clientId
.
Pushing this application to a public repository would mean that the clientId
is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey
used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey
. But I'm not sure if Okta's clientId
uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId
which makes me assume that there is no problem with sharing the clientId
. Is this indeed the case?
angular okta
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
To configure Okta authentication in a Angular application it is needed to add a config
variable with the settings for your OIDC
app in the app.module.ts
file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId}
is replaced by the actual clientId
.
Pushing this application to a public repository would mean that the clientId
is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey
used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey
. But I'm not sure if Okta's clientId
uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId
which makes me assume that there is no problem with sharing the clientId
. Is this indeed the case?
angular okta
To configure Okta authentication in a Angular application it is needed to add a config
variable with the settings for your OIDC
app in the app.module.ts
file. source
const config = {
issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:4200/implicit/callback',
clientId: '{clientId}'
};
Where {clientId}
is replaced by the actual clientId
.
Pushing this application to a public repository would mean that the clientId
is exposed for everyone to see. My question is if this forms any sort of security risk?
In my research I found a couple of similar questions with regards to the apiKey
used by Firebase:
- Is it safe to expose Firebase apiKey to the public?
- Do you need to hide your Firebase API keys for Ionic apps?
In the case of Firebase there seems no harm in sharing the apiKey
. But I'm not sure if Okta's clientId
uses a similar principle?
I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId
which makes me assume that there is no problem with sharing the clientId
. Is this indeed the case?
angular okta
angular okta
asked Nov 22 at 8:56
Bas de Groot
540115
540115
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427123%2fis-it-safe-to-expose-okta-clientid-in-a-public-repository%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
add a comment |
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.
The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.
answered Nov 22 at 16:11
Matt Raible
2,81862972
2,81862972
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427123%2fis-it-safe-to-expose-okta-clientid-in-a-public-repository%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown