Security Issue: insecure authorization code grant process #11
Comments
|
I'm aware of security issue, i do have a warning in docs, under features...I've left it in there since not all oauth2 services have implicit grant, android apk is a security issue, ios cordova build is ok |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm looking at the first example "Google Oauth2 (Authorization code grant)", that is listed in the readme and it is asking the developer to include their "client_secret". Correct me if I am wrong, but storing a client_secret in a cordova app is insecure since a malicious party can reverse engineer the app (i.e. decompile the android APK file) and extract the secret key and use it for other malicious activities on behalf of the app. Such a key should only be stored on a server and not in code or shipped software. Typically, in case of web apps, the application server needs to call environment variables that are securely configured (example: http://kalapun.com/posts/node-js-open-source-and-secret-keys/).
Here is what think we may need to do for jquery-cordova-oauth2 since Cordova is for mobile/device apps:
1 - In documentation and code add explicit warnings that it is a security issue to include client_secrets.
2 - Replace the example in readme with one that does not require a secret key. See https://developers.google.com/identity/protocols/OAuth2UserAgent
3 - Disable usage of client_secret, since if someone decides to use it, they are effectively distributing their client secret publicly with their app distribution.
The text was updated successfully, but these errors were encountered: