I am trying to write a small app that uses the Github API and is hosted on github.io
I'm following the web application flow documentation which can be summarized as:
If the application is client side only (except the static page host), how should I handle the client secret? It can't be embedded within the application or the user can find it. Is it imperative that a server be used to mediate the authentication process?
As you've noticed, to retrieve the access_token you'll have to request the API with your Client Secret. You just can't hide deep in your frontend code your Client Secret as it shall remain secret. This means that the retrieval of the access_token shall happen in your backend.
One thing you can do though is to use an open-source OAuth Manager codenamed Pizzly. You host it on a Heroku or Digital Ocean instance, and let it handle the OAuth-dance.
In your frontend, here's how you would connect a user to GitHub and retrieve an access_token:
const App = () => {
// Initialize Pizzly
const pizzly = new Pizzly({ host: PIZZLY_HOSTNAME, publishableKey: PIZZLY_PUBLISHABLE_KEY })
// Use the GitHub API
const github = pizzly.integration('github')
// The connect method lets us authenticate a user
// to our GitHub OAuth application
const connect = () => {
github
.connect()
.then(({ authId, payload }) => {
console.log(authId, payload.accessToken)
})
.catch(console.error)
}
// ...
};
export default App;
To make a request to the GitHub API, you can then use payload.accessToken or continue using Pizzly. Here's a full guide on how to use Pizzly with GitHub (in React).
This way, your API credentials remain hidden from your users. But your frontend code is clean.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With