steemconnect icon indicating copy to clipboard operation
steemconnect copied to clipboard
verified publisher icon ledgerconnect

Unable to find client secret

Open bgornicki opened this issue 6 years ago • 14 comments

I need to have my app "client secret" but it's impossible to get it from the dashboard.

bgornicki avatar Mar 10 '19 20:03 bgornicki

@bgornicki We've changed the flow, now the secret is not known by SteemConnect so if you don't have it you need to create a new reset, there isn't yet an easy way yet on the interface to do that but here is a snippet that should help: https://gist.github.com/bonustrack/ba0202345808a1d1216c1ec02668c0b1

bonustrack avatar Mar 14 '19 16:03 bonustrack

I had the same problem, but I can't bring myself to try it. It looks like it adds the secret to the json_metadata which is publicly available. @bgornicki did you try this? Did it work for you?

r351574nc3 avatar Mar 15 '19 13:03 r351574nc3

The problem is that the Steem account for my application was created using Steemconnect and I don't have the keys to do json_metadata update.

bgornicki avatar Mar 15 '19 13:03 bgornicki

@r351574nc3 the param name is misleading, on the json_metadata only the hash of the secret is available on the secret param. @bgornicki If the steem account was created on steemconnect the active key of the account is same as the creator account active key, your own account.

bonustrack avatar Mar 15 '19 13:03 bonustrack

Thank you, I was not aware of that and it solves my problem.

bgornicki avatar Mar 15 '19 13:03 bgornicki

@bonustrack Ok, I see. The hash obfuscates the secret which makes it fine to put into json_metadata. This kinda turns my assumption on its head. I was thinking the secret hash was my CLIENT_SECRET. Can you explain how this works if I'm creating the secret instead of using the JWT_SECRET in steemconnect? I guess what I really want to know is

  1. How does this regenerate my CLIENT_SECRET?
  2. How can I verify it is working properly with steemconnect?

r351574nc3 avatar Mar 15 '19 19:03 r351574nc3

@r351574nc3 you need to generate secret by yourself, hash it using code snippet provided by @bonustrack and update json_metadata on your application account. You don't need to do that if you don't need to know your secret (for example to verify returned token).

bgornicki avatar Mar 16 '19 11:03 bgornicki

@bgornicki you repeated exactly what I said. I understand what the steps are. That's not what I'm asking or misunderstand here.

I don't see how this is securing things if my hash is out there. It hasn't been said, so all I can do is assume. I'm going to assume the following: (@bonustrack please verify)

  1. The secret generated is what's passed as client_secret to steemconnect
  2. The process for validating the client_secret is the following
    1. steemconnect gets the owner id from of the app
    2. steemconnect gets the account json_metadata
    3. steemconnect gets the Secret field
    4. steemconnect validates the client_secret by unhashing it. (I realize this could be wrong because then steemconnect would know the secret which the whole point of this is to avoid).

The above makes sense because then it means the reason the secret hash is in json_metadata is that it's public on purpose for steemconnect to access it. My only guess is so that it can validate the client_secret. Of course, this may make sense, but my skeptical nature makes me question it. I am skeptical because while it does make sense I question "Why make the hash public?". The only one going to use this information is steemconnect. Public on purpose implies the public needs to know it to decentralize or distribute the information (like PGP keys). I don't see the point here though unless there's something I'm missing. I just talked myself into thinking I'm wrong because there's gotta be more here, right?

r351574nc3 avatar Mar 16 '19 16:03 r351574nc3

I tried the above and I am getting 401 Unauthorized, so I guess I must have been wrong. You don't pass secret as client_secret. I'm not sure what to use then.

r351574nc3 avatar Mar 16 '19 17:03 r351574nc3

I'm trying to use WP social login with steemconnect. I generated the client secret with the js script @bonustrack posted above, but I would like to know which one exactly is the application ID and where to find it.

Thanks

digital-mine avatar Apr 03 '19 14:04 digital-mine

The application id is simply the app account username @digital-mine

bonustrack avatar Apr 03 '19 15:04 bonustrack

Ok. I used my account instead of my app account :facepalm: My app account was created through steemconnect v2. I don't have any of the keys because steemconnect holds the keys, so I can't update the profile. I'm basically locked out at this point. I tried https://app.steemconnect.com/accounts/recover Still waiting on recovery.

r351574nc3 avatar Apr 03 '19 19:04 r351574nc3

@r351574nc3 I asked the same question and here is the answer.

bgornicki avatar Apr 03 '19 19:04 bgornicki

@bgornicki Oh, I missed that earlier. Somehow, that didn't register to me at the time as valuable information. Thanks. For those that wonder which part was useful from @bonustrack :

If the steem account was created on steemconnect the active key of the account is same as the creator account active key, your own account.

r351574nc3 avatar Apr 03 '19 20:04 r351574nc3