Uber-Android-SDK icon indicating copy to clipboard operation
Uber-Android-SDK copied to clipboard

Published 20 hours ago verified publisher icon Neno0o

Client Secret should not be in mobile app code

Open kishykumar opened this issue 9 years ago • 8 comments

Shouldn't the mobile app code not include the client secret?

As far as I know, mobile apps should not include the CLIENT SECRET in the source code because of source code confidentiality. The following article confirms the same: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

You are fetching the access_token from code assuming it's a web server app.

kishykumar avatar Nov 04 '15 09:11 kishykumar

According to Uber Doc, client_secret is used to get an access token check out their docs: https://developer.uber.com/v1/auth/

Neno0o avatar Nov 04 '15 17:11 Neno0o

Think again, should you give away your secret (client_secret) to public (who have your mobile app)?

The link you shared/ docs are basically describing authorization for server side web app. Your link has "check out Aaron Parecki's OAuth 2 Simplified guide". That confirms that you should NOT save the client_secret in the mobile apps.

kishykumar avatar Nov 05 '15 07:11 kishykumar

Good point. I will check that out.

Neno0o avatar Nov 05 '15 21:11 Neno0o

I get 401 UNAUTHORIZED when I remove (client_secret) from getting an access token. What do you think about that?

Neno0o avatar Nov 10 '15 13:11 Neno0o

You have to set 'grant_type=token' for that to work. Let me know if it doesn't work.

Thanks, Kishy

On Tuesday, November 10, 2015, Ahmed Gamal [email protected] wrote:

I get 401 UNAUTHORIZED when I remove (client_secret) from getting an access token. What do you think about that?

— Reply to this email directly or view it on GitHub https://github.com/Neno0o/Uber-Android-SDK/issues/3#issuecomment-155414662 .

Sent from my iPhone

kishykumar avatar Nov 10 '15 17:11 kishykumar

The grant_type may be authorization_code or refresh_token. I used both of them and still getting 401 UNAUTHORIZED. Thank you!

Neno0o avatar Nov 14 '15 10:11 Neno0o

Sorry - the 'response_type' has to be 'token'.

Please read this: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps

I followed this and it works.

On Sat, Nov 14, 2015 at 2:40 AM, Ahmed Gamal [email protected] wrote:

The grant_type may be authorization_code or refresh_token. I used both of them and still getting 401 UNAUTHORIZED. Thank you!

— Reply to this email directly or view it on GitHub https://github.com/Neno0o/Uber-Android-SDK/issues/3#issuecomment-156682368 .

Best,Kishy KumarSenior Member of Technical Staff, Oracle America Inc.Phone: (412)439-6660

kishykumar avatar Nov 14 '15 20:11 kishykumar

Hi again, thanks for pointing out this great article. I changed 'response_type' and still not working. According to Uber Docs "response_type: code is the only acceptable input at this time."

Neno0o avatar Nov 18 '15 16:11 Neno0o