I've got a Rails API that is using Doorkeeper with the password grant method for Oauth2.

Doorkeeper requires both the client_id and client_secret to be sent to the token request (/oauth/token), alongside the user's login details and scope.

How would I go about doing this in an Angular app? I don't like the idea of storing the client id and secret client side...

The client_id and client_secret should only be used when your app code is secured, i.g. inside your web server.

For browser web apps and mobile apps the oauth implicit flow or the password flow should be used.

1. In the implicit flow, you only use the client_id.
2. In the password flow, you exchange the username and password for an access token.