The only way that I found to not expose client secret on Front end was to create a client id without secret.
Is safe to have a client id without secret to use in web apps?
Asked
Active
Viewed 258 times
1 Answers
1
You use the Authorization Code Flow (PKCE) which generates a secret at runtime. There is no need to configure a secret in the Authorization Server - you just set a client id.
See these resources of mine for more info:
Gary Archer
- 22,534
- 2
- 12
- 24