mislav
commented
3 years ago (I'm guessing that you're talking about OAuth secrets. The client ID for any OAuth app is public knowledge.)
That's a great question! The short answer: just embed the "secret" value in your app. Even while compiled/obfuscated, assume that the value will always be trivially extractable from your app (and thus not a secret anymore), but that's fine. We do this in GitHub CLI.
Basically, the concept of an OAuth secret doesn't translate well to client apps, since it was designed with web applications in mind. For their OAuth applications, for example, Google asks each developer to indicate whether an OAuth app is a client app and doesn't provide nor require secrets for those apps, since they cannot possibly remain secret. The rest of the protocol remains the same.
Naturally, all this means that anyone can take your OAuth client ID + secret and pretend that they are your application. That's true, but it isn't such a big risk as it sounds. By the nature of running on the user's machine, client apps are not guaranteed to be tamper-proof anyway.
I guess we should add some docs about this to the README.
alecbcs
ghost
jvalkeal
williammartin
Hi, I apologize if I've just missed something in the documentation but, should our OAuth App Client IDs be kept secret? In the case of writing a headless app how should we distribute the Client IDs to the user's applications so that they can authenticate with GitHub? Is it best to write a server side relay that requests the tokens on the behalf of the CLI tool and then passes the resulting temporary code and token back to the user, so that the user never has access to the Client ID, or is it safe to embed the client ID in a distributed binary/source code? Thanks for your time.