Bwaffles
commented
7 months ago Based on the below research, I'm going to close this issue as don't need to fix. It makes sense to me that this isn't a security risk since the client id can't be used by any site other than my own.
The client identifier and your domain (which I'm assuming you're referring to the assigned Auth0 domain similar to [account].auth0.com) are both considered information that does not need to be kept secret.
The domain represents the entity handling the authentication; the equivalent of accounts.google.com for your application.
The client identifier is defined within the OAuth 2.0 specification which clearly indicates that is not confidential information:
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
In browser-based or other application where the actual code is located in a client environment it's unavoidable to have information stored there for authentication purposes. You just need to be sure that the information stored is okay to be disclosed like it is with the two examples you gave.
On the other hand these types of application could not securely use a client secret as it is defined by OAuth 2.0, because like you said, anyone could see it by inspecting the code.
https://stackoverflow.com/questions/51352759/where-to-store-auth0-domain-and-client-id https://stackoverflow.com/questions/40354720/angular2-with-auth0-do-i-need-to-hide-my-clientid-and-domain/40378764#40378764
Shouldn't be storing the client id in environment variables because it will be included in the build for anyone to see.
Potential solution is making an API call to get the auth0 configurations.
https://stackoverflow.com/a/57103663