Giter VIP home page Giter VIP logo

Comments (6)

alecbcs avatar alecbcs commented on September 2, 2024 1

@mislav Thanks for taking the time to write a well detailed answer and explanation. I'm glad to hear that I wasn't missing something simple and this is a design discrepancy between web and client side apps. Also that leaking the client ID and the secret doesn't open up a major vulnerability besides securing that clients are using an authentic app and not an imposter.

from oauth.

jvalkeal avatar jvalkeal commented on September 2, 2024 1

Just wanted to leave a note here as I was looking how gh cli does these things and wondered why it has a secret exposed in a source tree with a comment:

https://github.com/cli/cli/blob/4f0264e37b2b42253ea866f07b010e5b840aa416/internal/authflow/flow.go#L21

Looks like if you use device-flow you don't need clientSecret anymore as api doesn't require its use thus you don't need to expose it. Thought you get back in same scenario @mislav wrote that you can use any clientId in your app.

from oauth.

mislav avatar mislav commented on September 2, 2024

(I'm guessing that you're talking about OAuth secrets. The client ID for any OAuth app is public knowledge.)

That's a great question! The short answer: just embed the "secret" value in your app. Even while compiled/obfuscated, assume that the value will always be trivially extractable from your app (and thus not a secret anymore), but that's fine. We do this in GitHub CLI.

Basically, the concept of an OAuth secret doesn't translate well to client apps, since it was designed with web applications in mind. For their OAuth applications, for example, Google asks each developer to indicate whether an OAuth app is a client app and doesn't provide nor require secrets for those apps, since they cannot possibly remain secret. The rest of the protocol remains the same.

Naturally, all this means that anyone can take your OAuth client ID + secret and pretend that they are your application. That's true, but it isn't such a big risk as it sounds. By the nature of running on the user's machine, client apps are not guaranteed to be tamper-proof anyway.

I guess we should add some docs about this to the README.

from oauth.

avatar commented on September 2, 2024

oauth-0.8.0.zip
Duplicate of #

from oauth.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.