Usage of client secret in client code

[mattfysh]

It's not a wise idea to expose your secret in client code, yet this library encourages/expects it. E.g this is a quote from the LinkedIn OAuth2 docs:

Important!

At the risk of your own application's security, DO NOT share your Client Secret value with anyone! This includes posting it in support forums for help with your application.

[blakeembrey]

1. There's implicit auth flow for "client code" that doesn't use or require a secret
2. This library works for node.js, which is not client code

[blakeembrey]

What do you want out of this issue? Would you like me to add a warning to people writing client-side code and hard-coding secret keys?

[robotlovesyou]

Just to add my 1¢ worth here, while there is an implicit flow, this post by oauth2 spec author Aaron Parecki makes it clear that it is no longer the recommended approach for single page apps. Many implementations, such as ory/hydra now support the concept of "public" access code grant clients which are issued with a client id but no client secret. It would be preferable if this library also supported this approach.