Secret in Angular

[Jdruwe]

Hey

I see that you store the secret (acmesecret) in auth.service.ts, isn't this dangerous?

Thanks in advance.

[kucharzyk]

I think it's secure.

This secret only identify your application. Nothing more.

You can't authenticate user with secret but without username and password You can't sing jwt tokens with secret but without key stored at server side.

Even JHipster store client secret in javascript - it's required to authenticate https://github.com/jhipster/jhipster-sample-app-oauth2/blob/master/src/main/webapp/app/services/auth/auth.oauth2.service.js

[Jdruwe]

Thank you for your answer, oAuth 2 is kinda new for me and really complicated :p

[Jdruwe]

@kucharzyk What happens if I create a malicious website, lets say 'spring-angular2-starter-bad'. I can just decompile the secret from your javascript on the real site, ask for the user to login using their credentials and now I have the token, correct? I am just trying to comprehend why a client_secret is making this setup more secure.

[kucharzyk]

@Jdruwe You have right but it works only when I pass my credentials on your site. Token has expiration date. What you really need is my credentials.

Suppose you created facebook-bad.com

• I visit it and pass my facebook credentials
• Now you have my username and password
• Do you need token? You have everything you need.

Password grant type is created for trusted clients only. When you authorize on my page you will be not authorized on your bad page. If you pass your credentials on malicious site - it's your fault - it's the same problem like false bank websites

Check also similiar discusion on jhipster project: https://github.com/jhipster/generator-jhipster/issues/1898

[Jdruwe]

Thanks! This kinda summarises it:

After removing your client-secret, I don't think your app is really any safer but it feels a bit cleaner and honest--in that you're acknowledging that using a JS-only client, you can only be so safe. For JS and native clients, the implicit flow is typically used and it doesn't bother with a client-secret. It's simplified from the more robust authorization code grant flow for the fact that with a JS or native client can't keep a secret.