GithubOAuth tells users to distribute their client secrets #43
Comments
|
i'm not sure i want to remove the example completely as i think it serves some instructional value (the flow doesn't change that much with a different grant type..); what if we just made the "Note" into a big disclaimer and changed the wording into something a bit more agressive? What do you think @sebbert ? |
|
Seems like a good solution to me 👍 |
|
Also, I'm expanding the section on OAuth in the REST article quite a bit, so we'll have some more docs on this soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The GithubOAuth example uses OAuth2's authorization code grant.
This is fine if you can delegate the authorization to a server you own and store the client secret there, but this isn't the case here. The README instructs users to paste their client secret into the app. This is a very bad idea™, as these can very easily be extracted from the exported package.
To be fair, there is a security warning in the README, but "Note:" is not how you tell people about fundamental security flaws.
There does exist another OAuth flow, implicit grant, which doesn't require a client secret. GitHub does not support this, however.
We should either provide some basic server code, or switch to a different provider for this example.
The text was updated successfully, but these errors were encountered: