I’m building an application that allows users to interact with their GitHub account data. It is a single page application but with React and is registered with GitHub as an OAuth Application (https://developer.github.com/apps/building-oauth-apps/). Reading through the docs on the web application flow (https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow), I see that the flow is basically:
- Redirect user to GitHub Oauth login page, providing the
client_idand a redirect url as query parameters.
- After logging in, GitHub redirects user back to my app with a
codevalue serving as a bearer token.
- My application makes a POST request with the bearer token, my
client_id, and my
client_secretto Github, getting in exchange an authentication token that my application can then use to make API calls on the user’s behalf.
This all seems totally fine and I’m able to perform the steps entirely within my frontend application, however the last step would require me to embed my
client_secret in my frontend application code. This would obviously make it accessible to anyone who was interested finding it. I can’t come up with any particular reasons why this is exactly a security concern, however I struggle with the idea of embedding something labeled as a “secret” within frontend code. Given the redirect flow, Github’s services should reject any authentication attempts where the redirect URI doesn’t match the URI specified in my Oauth Application’s configuration, so I don’t think a malicious actor could do any damage with my application’s credentials.
I could stand up a simple server to handle to login flow (user POSTs bearer token to my API, my API sends bearer token and
client_secret to Github), however keeping this entirely as a frontend html/js project would definitely be desirable.
So, can anyone comment on the recommended best practice around embedding the OAuth Application
client_secret in a frontend application (or otherwise exposing it, such as committing it to version control)? Is there a real risk if others get it or am I just fixating in the word “secret”?