What? You expose Server secret to Client?
Alex Sharov

Hi Alex,

Thanks for pointing that out. Actually the intention is not to expose the server’s signing key or secret to the client. That would not be secure. However, in this tutorial, I have used the same password for signing and client password and that’s definitely confusing and misleading. I have now updated the code and this post to give a separated secret to the client.

In non-trivial implementations, the client ids and secrets would be maintained in a separated API and shared in a secured fashion. For brevity’s sake, they have been hardcoded in this post.