android-instagram-oauth icon indicating copy to clipboard operation
android-instagram-oauth copied to clipboard

Published 20 hours ago verified publisher icon thiagolocatelli

Compromised Security

Open atrepeklis opened this issue 8 years ago • 0 comments

According to the documentation of Instagram in case you want to authorize a user without a server side element you should use the "Client-Side (Implicit) Authentication" instead of the "Server-side (Explicit) Flow". As mentioned in the documentation:

"If you are building an app that does not have a server component (a purely javascript app, for instance), you will notice that it is impossible to complete step three above to receive your access_token without also having to store the secret on the client. You should never pass or store your client_id secret onto a client. For these situations there is the Implicit Authentication Flow."

In your solution you are actually storing the client_id secret in the client and using the Server-side (Explicit) Flow which compromises the security of your application.

Am I missing something or is this really a security violation?

atrepeklis avatar Aug 20 '16 07:08 atrepeklis