flutter_desktop_webview_auth icon indicating copy to clipboard operation
flutter_desktop_webview_auth copied to clipboard
verified publisher icon invertase

GitHub Sign-In without client secret

Open aemelyanovff opened this issue 3 years ago • 1 comments

GitHub signin requires client secret. But including secrets in desktop apps is not safe, is it? An attacker can decompile the app and find the secret.

How do Google Signin and Facebook Signin work fine without asking client secret? Can the same be done for GitHub?

aemelyanovff avatar Jun 16 '22 18:06 aemelyanovff

Thank you for pointing it out! That's right, we're investigating the same issue in FlutterFire on iOS and Android, see linked PRs. I will explore how to get FlutterFire Desktop to support GitHub provider without a secret as well, since it's the plugin behavior on mobile platform.

pr-Mais avatar Jun 22 '22 10:06 pr-Mais