JHipster OAuth2 security issue : Client secret has been exposed in JHipster JS code

[kevintrannz]

There are a few questions in our JHipster chat (https://gitter.im/jhipster/generator-jhipster) but no one anwser them. Just pick one of questions:

@artjomg: in the client I have to share the secret of the server, which is a security issue I think, but the rest request successfully gets a new token issued every five seconds as expected. So I could use this approach to provide an API-Key approach but distributing the oauth secret seems to be a security issue. It would be great if I could configure an additional provider with its own client id or somebody could give me a hint about how to provide api-key feature within jhipster thanks.

So I would like to create a ticket here for everyone to discuss / fix this issue.

Check src/main/webapp/scripts/components/auth/provider/auth.oauth2.service.js

login: function(credentials) {
                var data = "username=" + encodeURIComponent(credentials.username) + "&password="
                    + encodeURIComponent(credentials.password) + "&grant_type=password&scope=read%20write&" +
                    "client_secret=mySecretOAuthSecret&client_id=secretApp";
                return $http.post('oauth/token', data, {
                    headers: {
                        "Content-Type": "application/x-www-form-urlencoded",
                        "Accept": "application/json",
                        "Authorization": "Basic " + Base64.encode("secretApp" + ':' + "mySecretOAuthSecret")
                    }

Does back end check is necessarily? when client_id and client_secret known to the world and anyone can bypass this check.

src/main/java/com/app/config/OAuth2ServerConfiguration.java

public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                .inMemory()
                .withClient("secretApp")
                .secret("mySecretOAuthSecret")
                ...
        }

Anyone has experience on OAuth2 exposing client secret to the world and why we need to use it as everyone knows the secret against the backend.

Please give us your ideas. Thank you.

[jdubois]

Isn't this a duplicate from #586 and #1661 ? Can you have a look at them?

[sdoxsee]

I just wrote a short bit about this on stackoverflow.com http://stackoverflow.com/a/32062458/1098564 You can take the client secret out altogether but I don't think it buys you anything in security unless you change the jhipster architecture to use a server-side proxy.

[kevintrannz]

@jdubois: Yes. This is duplicate with #586 and #1661 tickets but We hope that this channel will open for community discussion / inputs to fix this issue properly.

No solution found in both tickets:

• As comment made by jhoelter in #1661 make sense.
• A few comments in #586 also make sense

https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

After registering your app, you will receive a client ID and a client secret. The client ID is considered public information, and is used to build login URLs, or included in Javascript source code on a page. The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used.

http://alexbilbie.com/2014/11/oauth-and-javascript

Above is a few of links we could find over the web for references. Hope we have more inputs in this thread. Thank you.

[kevintrannz]

@sdoxsee: Yes, Remove them out in JHipster code would be a quick workaround in this case.

[jdubois]

@kevintvh yes it's always open for improvements. I'm clearly not an expert in that field, and I'm not using OAuth2 at the moment.

[kevintrannz]

Thanks @jdubois.

[jdubois]

• For our current architecture there is no issue in showing the client secret, as it is not used. That's why I'm closing this.
• Yes we are currently working on a microservices architecture, where this secret will need to be hidden -> this is what is planned for this new version, of course