Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Github OAuth2 does not support Client Authentication?

Tags:

github

oauth

github-api

oauth-2.0

client

Well, in OAuth2 specification is foreseen cases where you are authenticating in an application that runs fully on the client side (browsers, mobiles, etc.) and so they are incapable of protecting their code/data.

In the memo regarding Security Considerations they say you should not store credentials in our code (for obvious reasons, I think):

https://www.rfc-editor.org/rfc/rfc6819#section-5.3.1

Also, in the memo about native clients, they highly recommend that an authorization server do not require an application secret:

https://www.rfc-editor.org/rfc/rfc8252#section-8.5

So, it should be possible to obtain an access token without using the client secret using a "client" grant type, like this:

https://www.oauth.com/oauth2-servers/mobile-and-native-apps/authorization/

Anyway, in the Github documentation, it's stated that the client_secret is mandatory to retrieve the access token:

https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#2-users-are-redirected-back-to-your-site-by-github

By the official specification, you should be able to achieve this, but I couldn't find a way to achieve that using the Github OAuth, and here is my question:

Is there a way to use Github OAuth getting an access token without using the client_secret?

like image 915
Fabiano Avatar asked Oct 16 '22 09:10

Fabiano

1 Answers

So, is there a way to use Github OAuth, get an access token without using the client_secret?

Not that I can see, when considering the authorization grant step

The application exchanges that code for the access token.

When the application makes the request for the access token, that request is authenticated with the client secret, which reduces the risk of an attacker intercepting the authorization code and using it themselves.

That means, if an application needs to automate that step on behalf of client, it needs to fetch that secret from a third-party referential, like a vault.

See for instance puppetlabs/vault-plugin-secrets-oauthapp, which is a plugin providing a secure wrapper around OAuth 2 authorization code grant flows, allowing a Vault client to request authorization on behalf of a user and perform actions using a negotiated OAuth 2 access token.
(here, Valut is hashicorp/vault)

like image 198
VonC Avatar answered Oct 21 '22 04:10

VonC
Sign in to Comment

Related questions

Canot push to remote repo - "Please make sure you have the correct access rights and the repository exists."
reveal.js working/bootstrap example
Github API: Get pull request for specific release tag
github graphql api default branch in repository
Github API call for user accounts
How can I fix git commit error after closing the editor window?
Decoding base64 content from Github API
Cloning and Pushing a Branch into a Private repo
Sharing github project without sharing API-Key
Push to GitHub Repository without Personal Access Token when 2FA is enabled
Directly loading .RData from github
Github: Show branches which contain a commit
How to generate a website from GitHub wiki pages
How can I switch a public repo to private and vice versa on GitHub?
Why is the Approve button disabled in GitHub "pull request review"?
Is there a way to generate metrics for a GitHub project? [closed]
Is there a way to generate a documentation wiki for github from my XML documentation comments in C#? [closed]
Download latest GitHub release
How can I search GitHub pull requests?
How to see what type of line endings are already in git repository?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!