We have now an internet app the place its again finish are composed of APIs. We use OAuth to authorize the webb app’s name to the APIs. Everyone knows that in OAuth, there may be all the time the Authorization endpoint used to get the Authorization code, which in flip is used to get the Authorization token. Within the Authorization endpoint, a part of its enter parameters is the client_id. Its the identifier for the elements that desires to entry the assets (e.g. cellular app, net app).
Now, now we have an internet app the place its again finish are composed of APIs. We use OAuth to authorize the app’s name to the APIs. I
On this case, is the client_id saved within the browser? How would we all know the place it’s saved?
What if a person of the net app was capable of efficiently authenticate then utilizing OAuth, was given authorization to entry the APIs by way of the net app, however after he makes use of his machine, the subsequent person was capable of pay money for the client_id within the browser. Would he/she have the ability to entry the APIs?
I’m asking each since we just lately subjected our app to penetration testing and the testers had a number of points on the client_id. They stated this may be guessed by way of enumeration and when guessed, can be utilized to entry your assets. Additionally, if saved within the browser (in case your app is an internet app), and also you’re utilizing a public laptop, different folks can get this and use this to entry and use the APIs that your net app makes use of (in the event that they know what their urls are). I am confused if this are actually legitimate points.