Remove client_secret from the angular and ReactNative application. #4657
Comments
|
We are using resource owner password flow. client has no permission itself. So, without a valid username/pass, the client name/secret does nothing. |
|
We changed to authorization code flow.. Account module will support both of authorization code and resource owner password flows. Authorization code will be default for new applications and we will create a simple guide to change for existing apps (very easy). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is definitely no good way to handle secrets on the client side. The client is not under your control and can never be trusted. This requires the change in the default implementation of the login in angular and ReactNative projects.
https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-00#section-6.2
It will be great if Authorization Code Flow is used instead of client_credentials or password flow.
I think this will improve the security of client applications.
I'm still exploring the abp.io and loving it. Thanks for this amazing project.
The text was updated successfully, but these errors were encountered: