Showing results for 
Search instead for 
Did you mean: 

Why is Swagger exposing my client secret?


Why is Swagger exposing my client secret?

I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link


MSAL.js does it without exposure. 


Here's my understanding of MSAL.js.   It redirects to the Active directory URL-plus-clientID  where Active D  shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL. 


I just don't understand why Swagger can't do the same thing. 


Any good solutions for Swagger?  My boss is NOT happy with me for having exposed a client secret. 


New Here?
Join us and watch the welcome video:
Top Kudoed Authors