CliendID and secret exposed in code. about dotlan-radar-chrome-extension HOT 8 CLOSED

See this for a little more information: https://developers.eveonline.com/blog/article/developer-license-agreement-update-2017-10

from dotlan-radar-chrome-extension.

I appreciate the heads up, if you don't mind discussing this with me I'd like to know a bit more:

I know having the client secret in the app is not a best practice, but I'm having trouble determining what problems this can cause. CCP themselves says there are cases where you'd use auth flow in a standalone app, although to be fair they also do mention your method of having users create their own apps elsewhere on that page.

Client IDs are allowed in standalone and single-page apps with no issue, but those are open to the same abuse you mention which could cause your app to get banned, so I'm not sure why the addition of a client secret would make that worse.

On the security side, for it to be abused the potential abuser would have to get the refresh token that is being used which can't be retrieved unless the user's computer is already somehow compromised, in which case all bets are off regardless for any method you choose.

Obviously I'd rather not have my users jump through extra hoops to use the app, but if there is a problem I'm not thinking of or I don't understand correctly I will of course modify my methods.

from dotlan-radar-chrome-extension.

This explains it a bit: https://salesforce.stackexchange.com/questions/14009/whats-the-benefit-of-the-client-secret-in-oauth2

Basically, you signed the dev agreement, you are responsible for the use of the secret and clientid. If someone takes your secret and clientid, and uses it in their app; you are responsible.

from dotlan-radar-chrome-extension.

I still may not be getting something. If I were to remove the client secret entirely, and instead use an implicit flow instead of the auth code flow, I'm still exposing my client ID (not secret, as that isn't used at all in implicit) which can then be stolen and used in other applications which also use an implicit flow, how am I not responsible in that scenario? They are still stealing my app's identity, and perhaps using it nefariously. It's the same result with slightly different information.

from dotlan-radar-chrome-extension.

Its an accepted risk would be my guess. The tokens have a lifetime of 20 minutes vs. Forever.

from dotlan-radar-chrome-extension.

Yeah, the tokens themselves are short lived, but the 'other app' in this scenario is masquerading as mine forever, and it seems like I would still be responsible for what the 'other app' is doing.

You think I would have any luck discussing this on tweetfleet slack? If I get a hard 'no' from CCP then it is what it is, it's their service after all, but the case for not using a secret key seems weak to me.

from dotlan-radar-chrome-extension.

That would likely be best. #sso is best for these sorts of questions on devfleet.

from dotlan-radar-chrome-extension.

Thanks, I appreciate your input. I'll see what they have to say

from dotlan-radar-chrome-extension.