As explained in Digging Deeper into OAuth 2.0 on, OAuth client applications have a client id (aka consumer key) and (optionally) a client secret (aka consumer secret), which the app uses to identify itself to an authorization server (in our case, typically It's tempting to put these, and similar parameters such as API user credentials, directly in your code (after all, who else is going to see your code?), but I'm here to tell you NO!!!

Yes, I've been guilty of this sin in the past, but a much better approach is to put configuration parameters in environment variables. The benefits are that you can push your code to public repositories without having to remember to remove your secrets, you don't have to load and parse a config file just for the sake of a handful of strings, and your app will work well on Heroku, where best practice is to use environment variables, set via heroku config.

Go grep 3MVG9 * in your source directory to find OAuth client ids (all the client ids I've seen have this prefix) and rip 'em out!

Get the latest Salesforce Developer blog posts and podcast episodes via Slack or RSS.

Add to Slack Subscribe to RSS