2

I'm implementing a server-side OAuth for my API. I've seen here that Google allows full javascript written applications to use its API.

In this case, because we are on a "view-source" environment, we are not using the client secret, thus we can't be sure of the Application identity.

Example: If I see a full-javascript application for Google, I just have to view the source, get the client key, and put on my own website an edited version of the code. If an user has accepted the app on the first website, I will be able to use his data (since the app is accepted, the accept part will be totally invisible for the user).

Even if the user has to reaccept the app, if he accepts it, I will have an access with the first app identity.

I'm a bit scared by this method, and I'm very surprised that Google doesn't expose the different risks in the documentation nor during the authorization phase. I must be missing something... Can you help me?

I'm not quite sure if I've made me understandable, but if you have any questions please ask.

(And sorry for my english)

Improve this question

2 Answers 2

Reset to default
1

You are right. The data visible in your application are the client id and the client secret. When the user authenticates your application, you get an access token which you have to use for the following API requests. The access token is usually stored within a local database and is unique for every user (and may even expire).

Consequences: An evil user that has access to the client id and the client secret has to re-accept the application to get access to it. He can't access it directly, since he doesn't have the access token. But after accepting it, he can access all data.

One way to solve this problem would be to perform the authorization on the server side. Your server does the initial authorization and stores the access token. When you want to access the API from the client, you get the access token from your server (over a secure connection) and you should be able to use the API normally and your client id and client secret are hidden. An easy way to implement this would be the Yahoo Query Language.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I am quite worried about it as well and I am reading a lot to get confortable with it. Actually, there are lots of webservers allowing pure javascript access (e.g. facebook, google, mercadolibre).

These companies request you a valid domain server name, i.e., your client id and client secret will be avaiable only on if request by your web app. That's said, i am a (too) little bit more confortable. It is not that easy to forge your app and your 11 years old nephew will had a bad time trying it.

Anyhow, I know that you can use some kind of phishing attack to the browser making them belive you are in "your-app-domain.com". I am not sure how these aforementioned companies filter this kind of attacks.

Thinking: One idea I had you could store your credentials in a cookie. Use a REST URI on the start of your app and store your credentials there. As long as I know it is possible with little hacking access the cookie, but it will be an extra barrier.

Thinking 2: I am not a mobile developer, so i keep me asking: how to solve this issue in an mobile app. Even knowing it is not easy to de-compile an app, it is possivel to do it.

I have no clue how to solve/be confortable with client side credential storage, but I hope to contribute to this discussion.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.