Forum Discussion

JAL's avatar
4 years ago

Why is Swagger exposing my client secret?

I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link


MSAL.js does it without exposure. 


Here's my understanding of MSAL.js.   It redirects to the Active directory URL-plus-clientID  where Active D  shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL. 


I just don't understand why Swagger can't do the same thing. 


Any good solutions for Swagger?  My boss is NOT happy with me for having exposed a client secret. 


No RepliesBe the first to reply