Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth secret and single page applications (SPA) #365

Closed
alexandre-abrioux opened this issue Feb 13, 2025 · 4 comments
Closed

OAuth secret and single page applications (SPA) #365

alexandre-abrioux opened this issue Feb 13, 2025 · 4 comments

Comments

@alexandre-abrioux
Copy link

alexandre-abrioux commented Feb 13, 2025
edited
Loading

Hi!

I just got my OAuth credentials reinstated by your support team. I'm working on migrating my code to the new authentication mechanism, but even though it works in my local environment, I don't feel confident in releasing the change I've made so far.

I'm using the Authorization Code Flow. From what I understand, according to the documentation and the few tests I've made, we need to pass down our client secret in order to exchange the authorization code for an access token.
See the documentation on the /oauth/token endpoint:

$ curl -X POST "https://secure.soundcloud.com/oauth/token" \
     ...
     --data-urlencode "grant_type=authorization_code" \
     --data-urlencode "client_id=YOUR_CLIENT_ID" \
     --data-urlencode "client_secret=YOUR_CLIENT_SECRET" \
     ...
     --data-urlencode "code=YOUR_CODE"

I'm maintaining a single-page application (SPA). If I were to follow this process, I would leak out my secret because it would be embedded in my (public) Javascript code. This means anyone could use it to query/DDOS SoundCloud's public API with the Client Credentials flow, potentially resulting in my account being suspended and my credentials terminated.

I've tried exchanging codes without passing down my client secret, but I get this error as a result: invalid_client.

Would you happen to have any advice on what I should do here? I'm pretty familiar with OAuth, and I usually do not need to pass down the secret to get an access token when PKCE is used on a SPA. As far as I understand, with PKCE, the secret is optional and only used by backends to add an additional layer of trust.

Do I need to convert my SPA to a full-stack application?

Thank you for your time 🙂
@rbscgh
Copy link

rbscgh commented Feb 20, 2025

hey @alexandre-abrioux, firstly thank you so much for your detailed issue and keen oauth sense! youre aboslutely right! now that weve moved to 2.1 we can make this distinction between public and confidential clients. if you provide me with your client id i can gladly mark your application as public which will disallow you from client credentials but allow you to do auth-code with pkce and no secret!

@alexandre-abrioux
Copy link
Author

@rbscgh Thanks a lot! 🙂 Here are my client IDs:

  • prod: 56bag3u3oT565Wh9Oavd5glWl3dTDE58
  • dev: PSvCynpyHgTfqYyeFpwD1bEU4AdztpcP

@rbscgh
Copy link

rbscgh commented Feb 21, 2025

@alexandre-abrioux done! please let us know if everything works as expected. then we can close this issue.

@alexandre-abrioux
Copy link
Author

Fantastic, it worked 😊 Thanks a lot for your help; that's much appreciated! I am closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexandre-abrioux @rbscgh