I'm currently challenging myself by replicating a Flask/python app in React/Nodejs. The challenge I'm running into is with how to securely store client secrets for the public APIs the app uses. I need to store two 'types' of credentials- one is the client/secret for OIDC that users will authenticate against our IDP with, the other is public API client/secrets that the backend will use to CRUD data against a variety of sources. I'm pretty sure I have discovered what to do for the backend node- this will live in AWS so I can use secrets manager to store & retrieve client/secrets unexposed. What I can't figure out is how to obfuscate the OIDC config from prying eyes. I'm used to being able to store that data in environment variables in Python, but that doesn't seem to translate well to ReactJS without some level of exposure.
One thought I had is to store the creds in secrets manager, and use the node backend as the protective layer to retrieve the creds, but once I pull them up to the React layer won't they still be exposed?
I'm using react-oidc-context to manage the OIDC connection, which ends up with a setup similar to this
const oidcConfig= {
authority: 'https://ourIDP',
client_id: 'appclient',
client_secret: 'appsecret',
redirect_uri: 'http://localhost:3000/callback',
response_type: 'code',
scope: 'openid profile email'
};
function App() {
const [content, setContent] = useState({})
console.log(content)
return (
<AuthProvider {...oidcConfig}>
<div className={"overall-div"}>
<MenuBar setContent={setContent}/>
<React.Suspense fallback={<ProgressSpinner alignSelf={"center"} margin={{top: "xlarge"}}/>}>
<MainView content={content}/>
</React.Suspense>
</div>
</AuthProvider>
);
}
which is all exposed through the bundle.js.
Thanks ahead of time for any help.
I have googled multiple methods of secrets management and just can't find the answer. On here the only answers I could find were not OIDC related.