The GithubOAuth example uses OAuth2's authorization code grant.
This is fine if you can delegate the authorization to a server you own and store the client secret there, but this isn't the case here. The README instructs users to paste their client secret into the app. This is a very bad idea™, as these can very easily be extracted from the exported package.
To be fair, there is a security warning in the README, but "Note:" is not how you tell people about fundamental security flaws.
There does exist another OAuth flow, implicit grant, which doesn't require a client secret. GitHub does not support this, however.
We should either provide some basic server code, or switch to a different provider for this example.
The GithubOAuth example uses OAuth2's authorization code grant.
This is fine if you can delegate the authorization to a server you own and store the client secret there, but this isn't the case here. The README instructs users to paste their client secret into the app. This is a very bad idea™, as these can very easily be extracted from the exported package.
To be fair, there is a security warning in the README, but "Note:" is not how you tell people about fundamental security flaws.
There does exist another OAuth flow, implicit grant, which doesn't require a client secret. GitHub does not support this, however.
We should either provide some basic server code, or switch to a different provider for this example.