drf-social-oauth2 icon indicating copy to clipboard operation
drf-social-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon wagnerdelima

Lack of clarity in documentation about exposing the "Client Secret" for Social Apps

Open wasiqwiqar opened this issue 1 year ago • 4 comments

I have the authentication workflow working properly with Google + a separate authentication workflow with email/passwords.

For the email/password workflow, here's what's working properly and looks secure to me.

  grant_type: 'password',
  client_id: 'Client ID of the social application in Django',
  username: username,
  password: password

But for the Google Authentication, I do this, and having the client secret public does not look secure to me

  grant_type: 'convert_token',
  client_id: 'Client ID of the social application in Django',
  client_secret: 'Client Secret of the social application in Django',
  token: 'Token received from Google',
  password: 'google-oauth2'

I'm pretty sure I'm missing something because this was not touched upon in the documentation. Would this be safe to deploy for production or do I need a new approach for this.

Thank you for your time!

wasiqwiqar avatar Dec 14 '23 19:12 wasiqwiqar

Same issue here - convert_token endpoint requires client_secret, which I have to send from frontend. Obviously, this is not ideal

AlexanderPershin avatar Jun 18 '24 11:06 AlexanderPershin

Obviously, this is not ideal

Is it possible that we're missing something about this workflow? I've avoided implementing this in a couple of live apps now because of the missing clarification.

wasiqwiqar avatar Jun 24 '24 18:06 wasiqwiqar

Is it possible that we're missing something about this workflow? I've avoided implementing this in a couple of live apps now because of the missing clarification.

idk, I added a proxy which stores keys and adds them to the request automatically

AlexanderPershin avatar Jun 25 '24 00:06 AlexanderPershin

What you can do is open a PR that changes the way it works. If you do not wish your apps to keep the client secret in the FE, you can change drf-social-oauth2 so that it accetps only the client_id and works its magic from there.

wagnerdelima avatar Jun 27 '24 10:06 wagnerdelima

@wagnerdelima Am I right in assuming from your response that it is normal to be storing the client secret generated by drf-social-oauth2 in the FE?

dreaquil avatar Jul 23 '24 18:07 dreaquil

No, you should not store the client secret in the FE. The newest version of drf-social-oauth2 does not accept the client_secret in the request anymore. Take a look at the docs please.

The client secret should never be passed in the requests!

wagnerdelima avatar Jul 24 '24 09:07 wagnerdelima

@AlexanderPershin @wasiqwiqar the client secret is not needed anymore. Use the latest version of the framework. Also, we shall receive the user name, family name and email from the /convert-token endpoint.

wagnerdelima avatar Jul 24 '24 09:07 wagnerdelima

@AlexanderPershin @wasiqwiqar the client secret is not needed anymore. Use the latest version of the framework. Also, we shall receive the user name, family name and email from the /convert-token endpoint.

Thanks for the update!

AlexanderPershin avatar Jul 24 '24 10:07 AlexanderPershin