fullstackreact
Storing the client secret on the mobile app is insecure
Hello,
I saw that you've already closed a few issues regarding this topic, but I don't think its been adequately addressed. The client_secret for an OAuth 2.0 application should never be included in any client side code. It is completely vulnerable there.
I saw two suggestions in the closed issues and I think they are both insecure:
-
Retrieve the client_secret from the server at at run time with a network request. This is just as bad because users can intercept the network requests and view the client_secret.
-
Compile the client_secret into the application itself. This is also insecure because anytime you store a secret on a client you don't control, it's insecure by definition.
Please reconsider updating this library / documentation to not encourage users to store their client_secret on the client themselves.
@richardartoul Ok, your point makes sense, but what are you suggesting as an alternative?
Use the implicit grant type?
Encouraging users to put the client secret in their app is not a good idea and previously suggested ways of solving this by "putting it in Info.plist to have it compiled" (#72) make no sense.
Here's a nice overview from stack overflow : https://stackoverflow.com/questions/17427707/whats-the-right-oauth-2-0-flow-for-a-mobile-app
In short
The Authorization Code Grant flow is recommended for applications that have a web service. This flow requires server-to-server communication using an application's client secret.
Note: Never put your client secret in distributed code, such as apps downloaded through an app store or client-side JavaScript.
Applications that do not have a web service should use the Implicit Grant flow.`
If the server supports it, using Auth Code with no secret and PKCE is recommended. It is made for precisly this scenario: https://www.oauth.com/oauth2-servers/pkce/
