Skip to content

GithubOAuth tells users to distribute their client secrets #43

Description

@sebbert

The GithubOAuth example uses OAuth2's authorization code grant.
This is fine if you can delegate the authorization to a server you own and store the client secret there, but this isn't the case here. The README instructs users to paste their client secret into the app. This is a very bad idea™, as these can very easily be extracted from the exported package.

To be fair, there is a security warning in the README, but "Note:" is not how you tell people about fundamental security flaws.

There does exist another OAuth flow, implicit grant, which doesn't require a client secret. GitHub does not support this, however.

We should either provide some basic server code, or switch to a different provider for this example.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions