I have read this example:https://auth0.com/blog/securing-grpc-microservices-dotnet-core/
In this example it explains how to implement authorization in a gRPC service.
It says that the client request a token that let the client call the service. For that, it is needed to include in the json file the public and private data that it is possible to get this token.
{"Auth0": {"Domain": "YOUR_AUTH0_DOMAIN","Audience": "YOUR_UNIQUE_IDENTIFIER","ClientId": "YOUR_CLIENT_ID","ClientSecret": "YOUR_CLIENT_SECRET" }}If I am not wrong, what this does is to configure my application to can request a token. But all the information needed for that is in in plain text. So, where is the security here, if someone could copy the application to anoher computer and run the application and get the token?
For that, I guess it is the same that if I create a self signed certificate and I add the CA.crt, client.crt and client.key in the application.
Perhaps I misunderstood some part, but if this is correct, that all the information needed to get the token is in the client and the process is this:
- Client get token from Auth0.
- Client use the token to call the serive.
- The service authrizes the call because the token is valid.
Where is the security in this case?
Thanks.
