Comments (8)
See this for a little more information: https://developers.eveonline.com/blog/article/developer-license-agreement-update-2017-10
from dotlan-radar-chrome-extension.
I appreciate the heads up, if you don't mind discussing this with me I'd like to know a bit more:
I know having the client secret in the app is not a best practice, but I'm having trouble determining what problems this can cause. CCP themselves says there are cases where you'd use auth flow in a standalone app, although to be fair they also do mention your method of having users create their own apps elsewhere on that page.
Client IDs are allowed in standalone and single-page apps with no issue, but those are open to the same abuse you mention which could cause your app to get banned, so I'm not sure why the addition of a client secret would make that worse.
On the security side, for it to be abused the potential abuser would have to get the refresh token that is being used which can't be retrieved unless the user's computer is already somehow compromised, in which case all bets are off regardless for any method you choose.
Obviously I'd rather not have my users jump through extra hoops to use the app, but if there is a problem I'm not thinking of or I don't understand correctly I will of course modify my methods.
from dotlan-radar-chrome-extension.
This explains it a bit: https://salesforce.stackexchange.com/questions/14009/whats-the-benefit-of-the-client-secret-in-oauth2
Basically, you signed the dev agreement, you are responsible for the use of the secret and clientid. If someone takes your secret and clientid, and uses it in their app; you are responsible.
from dotlan-radar-chrome-extension.
I still may not be getting something. If I were to remove the client secret entirely, and instead use an implicit flow instead of the auth code flow, I'm still exposing my client ID (not secret, as that isn't used at all in implicit) which can then be stolen and used in other applications which also use an implicit flow, how am I not responsible in that scenario? They are still stealing my app's identity, and perhaps using it nefariously. It's the same result with slightly different information.
from dotlan-radar-chrome-extension.
Its an accepted risk would be my guess. The tokens have a lifetime of 20 minutes vs. Forever.
from dotlan-radar-chrome-extension.
Yeah, the tokens themselves are short lived, but the 'other app' in this scenario is masquerading as mine forever, and it seems like I would still be responsible for what the 'other app' is doing.
You think I would have any luck discussing this on tweetfleet slack? If I get a hard 'no' from CCP then it is what it is, it's their service after all, but the case for not using a secret key seems weak to me.
from dotlan-radar-chrome-extension.
That would likely be best. #sso is best for these sorts of questions on devfleet.
from dotlan-radar-chrome-extension.
Thanks, I appreciate your input. I'll see what they have to say
from dotlan-radar-chrome-extension.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dotlan-radar-chrome-extension.