Security issue

[LpmRaven]

The clientSecret parameter should never be used on the front-end.
Exposing the clientSecret inside the front end application at any time makes your application vulnerable to attack.

Please use a back-end/proxy to handle the clientSecret.

[yuriescl]

Upvoted, indeed, this issue makes this library unusable and unsafe.

[yuriescl]

This library should either switch to implicit grant authentication or add a backend library to store the client secret

[DarylBuckle]

Thanks for raising this.

Yes, agreed, the clientSecret should not be specified.

It's there solely as a workaround for getting the demo to work without backend code (hosting on gh pages and using Auth0 where secret was mandatory).

Agreed that it's misleading and unclear, and should be done properly with the secret in backend code.

I'll make amendments at some point in the near future to either make clear in the docs that clientSecret shouldn't be used in any real-world scenario or remove it completely and make a better demo to resolve this.

Thanks again for raising this issue.