Open kadary opened 5 years ago
Hello @kadary,
I've been thinking about the same when reading about client_secret
to be used on the front-end. After reading your ticket about it the thing that made it even more funnier that we even think alike with our profile pictures. :laughing:
Well, when I saw this, I jumped out from my seat. I expected some kind of hashing or something to hide it.
So, I've moved to https://utteranc.es/, which does not have this security issue.
Hello,
You asked to fill an issue if we think the Oauth2 app *client_secret is security risk in frontend.
Just to let you know that your client secret can be use to manipulate other GitHub resources using other mechanism than Oauth2 authorization_code flow. They can be use in GitHub authorization APIs to gain informations about your end-user for example (https://developer.github.com/v3/oauth_authorizations/).