I've been experimenting with jhipster. I've configured my app to work with oauth2. For that purpose I have a client secret in my application.yml
According to several articles I have found on this topic, the client secret should be kept secret at all times. For example, check https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used.
I've noticed though that the generated auth.oauth2.service.js contains the secret in plain text:
return {
login: function(credentials) {
var data = "username=" + credentials.username + "&password="
+ credentials.password + "&grant_type=password&scope=read%20write&" +
"client_secret=mySecretOAuthSecret&client_id=myapp";
return $http.post('oauth/token', data, {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "application/json",
"Authorization": "Basic " + Base64.encode("myapp" + ':' + "mySecretOAuthSecret")
}
}).success(function (response) {
var expiredAt = new Date();
expiredAt.setSeconds(expiredAt.getSeconds() + response.expires_in);
response.expires_at = expiredAt.getTime();
localStorageService.set('token', response);
return response;
});
},
I understand that it will be a little bit harder to find in the minified javascript, but anyone looking for 'client_secret' will be rewarded quickly.
Am I missing something? Or is the jHipster oauth implementation unsafe?
Thanks, Andy