Why is Swagger exposing my client secret?
I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link
https://github.com/swagger-api/swagger-ui/issues/4448
MSAL.js does it without exposure.
Here's my understanding of MSAL.js. It redirects to the Active directory URL-plus-clientID where Active D shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL.
I just don't understand why Swagger can't do the same thing.
Any good solutions for Swagger? My boss is NOT happy with me for having exposed a client secret.