Security concerns around embedding OAuth client_secret in frontend? #24796
-
I’m building an application that allows users to interact with their GitHub account data. It is a single page application but with React and is registered with GitHub as an OAuth Application (https://developer.github.com/apps/building-oauth-apps/). Reading through the docs on the web application flow (https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow), I see that the flow is basically:
This all seems totally fine and I’m able to perform the steps entirely within my frontend application, however the last step would require me to embed my I could stand up a simple server to handle to login flow (user POSTs bearer token to my API, my API sends bearer token and So, can anyone comment on the recommended best practice around embedding the OAuth Application |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
@alukachin general, you should not embed the client secret in an Authorization code flow in a client facing web app, because someone could use those the combination of ID and secret to impersonate your app. You should either set up a proxy server to handle the Authorization code flow or use another type of flow such as PKCE (but I don’t think that’s supported by the Github API). |
Beta Was this translation helpful? Give feedback.
-
Thanks @kamicut! So, it seems like the primary risk is that if someone could easily get your Client Secret (i.e. read it in your front-end application’s source code) and then could somehow intercept the Authorization Code (e.g. look through a browser’s history for redirect URLs, such as when Github redirects back to “http://…redirect_uri…/?code=abc123”), then that person would be able to easily generate an auth token for that user. So in closing, it is not okay to embed your client_secret in a frontend application. |
Beta Was this translation helpful? Give feedback.
Thanks @kamicut!
So, it seems like the primary risk is that if someone could easily get your Client Secret (i.e. read it in your front-end application’s source code) and then could somehow intercept the Authorization Code (e.g. look through a browser’s history for redirect URLs, such as when Github redirects back to “http://…redirect_uri…/?code=abc123”), then that person would be able to easily generate an auth token for that user.
So in closing, it is not okay to embed your client_secret in a frontend application.