Exploitation of client_id in OAuth


We have a web app where its back end are composed of APIs. We use OAuth to authorize the webb app’s call to the APIs. We all know that in OAuth, there is always the Authorization endpoint used to get the Authorization code, which in turn is used to get the Authorization token. In the Authorization endpoint, part of its input parameters is the client_id. Its the identifier for the components that wants to access the resources (e.g. mobile app, web app).

Now, we have a web app where its back end are composed of APIs. We use OAuth to authorize the app’s call to the APIs. I

  1. In this case, is the client_id stored in the browser? How would we know where it is stored?

  2. What if a user of the web app was able to successfully authenticate then using OAuth, was given authorization to access the APIs via the web app, but after he uses his machine, the next user was able to get hold of the client_id in the browser. Would he/she be able to access the APIs?

I am asking both since we recently subjected our app to penetration testing and the testers had a lot of issues on the client_id. They said this can be guessed via enumeration and when guessed, can be used to access your resources. Also, if stored in the browser (if your app is a web app), and you’re using a public computer, other people can get this and use this to access and use the APIs that your web app uses (if they know what their urls are). I’m confused if this are really valid issues.