More warnings that setting OAuthConfigObject.ClientSecret will cause the client secret to show up in the html #2449
Comments
|
This issue is stale because it has been open for 60 days with no activity. It will be automatically closed in 14 days if no further updates are made. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was working on customizing the swagger UI when I noticed at the bottom of the HTML is some inline javascript that included the clientID and client secret. We were using user name and password OpenID auth against AAD so we didn't actually need the client secret. However sometime our app uses its client secret to do Bearer Auth to other things so its in the app settings, and we passed it down to swagger until we learned this was bad and harmful.
While this is ultimately swagger-ui rendering the secret, swashbuckle should do more.to warn carelessly adding the client secret. At the very least the xmldoc comments should warn you this is bad. The examples should warn you explictly not to set it whenever they set client secret. I'd even go as far as making ClientSecret a field backed property so you can stick a
#WARNINGin the setter that the user could ignore of they really need to expose the client secret.The text was updated successfully, but these errors were encountered: