We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Importance of the secrecy of the client secret


vcasse
02-17-2014, 10:23 AM
Oh sorry I had not understand your question

Redirect URL could protect you from fake clients. But client_secret could permit you to filter requests you receive on your website : I other client_secret than yours is receive, it's could be an attack.

Regards,
Vincent

OderWat
02-14-2014, 01:39 PM
Hehe... I am not missing SSL. This is clear.

I was asking what I am missing from developer standpoint. I could not do anything with Client ID and Client Secrect from any other account than mine could I? And IF you could intercept the transmission (man in the middle or even memory dumping the application) I would get access to the API or could extract the Client Secret.

The original question was: What happens if somebody else gets a Client ID / Secret pair?
My Answer: Nothing really, because the Redirect URL protects "us" from fake clients using the same credentials.

vcasse
02-14-2014, 10:49 AM
https

Only man in the middle attack is possible. To avoid man in the middle, you could record our ssl certificate inside your application to verify nobody change certificate between your application and our APIs.

So, if anyone look trafic, only url is visible and hased authentication is encrypted.

Vincent

OderWat
02-13-2014, 10:03 PM
Just a question / clarification about that:

Isn't the redirect url "fixed" to the ClientID in your implementation? Which in turn would circumvent that anybody besides the original "target" of this url is able to write a (another) client app with the same ClientID.

The client secret is only used to "authorize" the client on "registering" with the user account and to refresh the access_token with the refresh_token..

So the real danger is that somebody picks up the refresh_token and highjacks the access to the account / api. But the person which can intercept this communication could also simply read out the hashed Authentication (client:secret) and use the token from the same data stream to highjack this api access.

What am I missing?

Rémi
10-28-2013, 12:14 PM
Okay. It was what I was doing. I hoped their was some solution simpler for my users.

Nathan
10-28-2013, 11:40 AM
It could be a security breaktrough, as people could use your credentials to create all types of application, including malicious apps.

If we found this kind of application, we will ban the credentials, and you will be seen as responsible ...
Don't forget that credentials are linked to your account.

Best way imo is to put your credentials in a conf file that you do not publish on github. Just refer in your documentation how to write this file, and people will understand :-)

Rémi
10-27-2013, 10:55 PM
I'm writing some open source tool for hubic, and as such, if I wrote the Client ID and Client Secret in the source code, it will be available for everybody on github.

So I would like to know the security implication of revealing the Client Secret: is this a big « no you should never do that », or is this a possibilities?

Thanks