0

I'm using Auth0 for sign in/sign up flow and user has possibility to update his profile information.

In order to do that I'm requesting a token from auth0 using url 'https://YOUR_DOMAIN/oauth/token', sending in payload this sensitive information

data: {
    grant_type: 'client_credentials',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET',
    audience: 'https://YOUR_DOMAIN/api/v2/'
  }

which is in plain text visible in Network Request browser.

This is procedure I'm following is here: https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-access-tokens-for-production

So is possible to hide this payload data which contains this sensitive information? Since with this token you can manipulate users data if you know userID.

Or there is some other way to retrieve token from auth0 before updating profile?

Thank you

HardRock
  • 809
  • 2
  • 12
  • 37
  • 1
    This flow is for server-side only. Since it _needs_ those credentials, this request is not meant to ever be performed from client-side code. – CBroe May 03 '22 at 07:45

2 Answers2

1

You should do a Client_Credentials Flow only from the backend. Then you also wouldn't have the Problem with the credentials being visible in the browser network tab.

Kaankom
  • 159
  • 6
1

You should obtain the new access token from the backend and then also update the users profile from the backend.

Your access_token should be encrypted and can be stored in a cookie or JWT token in the users browser. This is send on every request to your server/backend, you decrypt it and extract some of users info, including the expiration time of the token and the refresh_token.

If the access_token is expired you request a new one using the refresh_token from your backend to the authorization server.

If you are interested I also explain the reason for having access_token and refresh_token here: Why Does OAuth v2 Have Both Access and Refresh Tokens?

Bernard Wiesner
  • 961
  • 6
  • 14