Is it safe to expose Okta clientId in a public repository?

Question

To configure Okta authentication in a Angular application it is needed to add a config variable with the settings for your OIDC app in the app.module.ts file. source

const config = {
    issuer: 'https://dev-123456.oktapreview.com/oauth2/default',
    redirectUri: 'http://localhost:4200/implicit/callback',
    clientId: '{clientId}'
};

Where {clientId} is replaced by the actual clientId.

Pushing this application to a public repository would mean that the clientId is exposed for everyone to see. My question is if this forms any sort of security risk?

In my research I found a couple of similar questions with regards to the apiKey used by Firebase:

In the case of Firebase there seems no harm in sharing the apiKey. But I'm not sure if Okta's clientId uses a similar principle?

I've also researched some public repositories on Github that implement Okta authentication. Most of those repositories seem to expose the clientId which makes me assume that there is no problem with sharing the clientId. Is this indeed the case?

score 5 · Accepted Answer · answered Nov 22 '18 at 16:11

5

There shouldn’t be any security issues with putting your Client ID in a GitHub repo. This value is similar to a license plate on a car. It’s just an identifier and is regularly passed in the URL for authorization requests.

The client secret is the value you don’t want to expose. It should NOT be stored in source control. I recommend storing a dummy value and overriding it with an environment variable.

answered Nov 22 '18 at 16:11

Matt Raible

8,187
9
61
120

Here is an [Okta dev forum post](https://devforum.okta.com/t/is-clientid-for-an-app-confidential/5841/2) agreeing that ClientID is safe to expose to the public. – Patrick M Sep 28 '21 at 16:00

Is it safe to expose Okta clientId in a public repository?

1 Answers1