question

ratatatata avatar image
ratatatata asked

Client Secret in Open Source Apps ?

It's about open source apps which need to make use of the 'Authorization Code Grant' rather than an implicit grant.. Am I allowed to embed the 'Client Secret' into code which is publicly available as open source? Of course there is no way of effectively securing the client credentials of an open source app (technically the credentials could be hidden but never secured). I wasn't able to find any information about this topic neither in the forums, the docs nor the developer agreement. Thanks in advance.
amazon drive
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

8 Answers

Jamie Grossman avatar image
Jamie Grossman answered
Hey there, Thanks for posting. Let me look into this for you and I'll get back to you as soon as I have more information on the matter. Jamie
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Ross@Amazon avatar image
Ross@Amazon answered
This is currently an open question that we have not dealt with before so we must consult with our security teams regarding this issue.
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Zachary S. Bedell avatar image
Zachary S. Bedell answered
Just wondering if there's any additional info on this question? I'm considering starting work on an application that would fall into the same situation. I know of one similar app (acd_client in Python) which uses an AppSpot page to accomplish authentication then passes the token back, but it seems less than optimal secutity-wise to have to pass the info over from a remote app when it could all be done from the app itself. My app would also be command line based like acd-cli, so it complicates things to have to copy/paste web links around to complete authentication. Thanks in advance for any updates!
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Ross@Amazon avatar image
Ross@Amazon answered
The security team has confirmed that this functionality is not available. If the client secret goes to open source code that means it becomes public and theoretically anyone can use same client ID/secret to impersonate this client. This is completely in violation to the consent provided by the customer that their information can only be accessed by a particular third party.
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

JOSHUA D HULL avatar image
JOSHUA D HULL answered
It looks like this is already an issue. https://github.com/ncw/rclone/blob/master/amazonclouddrive/amazonclouddrive.go#L35 I also would like to know how to deploy amazon cloud drive in an open source app. I would vote for an xauth feature to enable users to authenticate directly when using apps from their own computer.
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

yadayada avatar image
yadayada answered
I know of at least two projects that (sort of) publish their secret keys, clementine and rclone. But I don't think that's a real security concern until someone also gets hold of a valid refresh token.
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick Craig-Wood avatar image
Nick Craig-Wood answered
rclone author here... I should note that that is an encrypted version of the secret, not the actual secret. This isn't a perfect solution for lots of obvious reasons (please don't spell them out in replies to this message ;-), but it was the best I could come up with without running an external service which would handle sensitive authentication information and potentially giving me access to lots of my users accounts.
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

ratatatata avatar image
ratatatata answered
Answered: open source not supported. The API is in need of a personal user authentication procedure (such as personal user-specific API keys).
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.