Security risks - hippogamesunity/SimpleSignIn GitHub Wiki

Storing client secrets

In some scenarios, AuthSettings may contain Client Secret (or Private Key) used to refresh and revoke access tokens. Some platforms require Client Secret to refresh and revoke access tokens, and other don't.

Discovering an OAuth client secret is insecure because it allows attackers to impersonate your legitimate application, steal user data, and perform actions on their behalf, especially in "public clients" (SPAs, mobile/desktop apps) where secrets are easily extracted from code, leading to unauthorized token access and phishing via stolen codes and controlled redirect URLs, effectively bypassing security layers.

For token exchange, it's always possible to use Authorization Code Flow with Proof Key for Code Exchange for all platforms, so you don't need Client Secret.

Suggested workarounds if you don't want to store Client Secret:

1. Simply don't refresh and revoke access tokens. For expired tokens, just perform authorization again to get a new token.
2. Move token refresh and revoke functionality to your backend (where you can safely store Client Secret).