cancel
Showing results for 
Search instead for 
Did you mean: 

Why is Swagger exposing my client secret?

Highlighted
Visitor

Why is Swagger exposing my client secret?

I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link
https://github.com/swagger-api/swagger-ui/issues/4448

 

MSAL.js does it without exposure. 

 

Here's my understanding of MSAL.js.   It redirects to the Active directory URL-plus-clientID  where Active D  shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL. 

 

I just don't understand why Swagger can't do the same thing. 

 

Any good solutions for Swagger?  My boss is NOT happy with me for having exposed a client secret. 

 

New Here?
Join us and watch the welcome video:
Announcements
Top Kudoed Authors