Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Safety of OAuth client secret in .gitconfig #1315

Answered by hickford
eboskma asked this question in Q&A
Safety of OAuth client secret in .gitconfig #1315
@eboskma eboskma
Jul 4, 2023 · 1 comments · 1 reply
Answered by hickford Return to top
Discussion options

eboskma
Jul 4, 2023

I was wondering, how safe is it to store the OAuth client secret (and perhaps also the client ID) in plain text in .gitconfig? It seems like a bit of a security issue (it is called 'secret' for a reason), especially since I keep my dotfiles in a public git repository.

Maybe I'm overthinking it, but I like to err on the side of caution in cases like this.
You must be logged in to vote
Answered by hickford Jul 4, 2023

It's harmless but confusing. There are two kinds of OAuth client, public clients and confidential clients. It's expected the "secrets" of public clients such as native apps are non-confidential https://datatracker.ietf.org/doc/html/rfc8252#section-8.5

Secrets that are statically included as part of an app distributed to multiple users should not be treated as confidential secrets, as one user may inspect their copy and learn the shared secret.

For this reason, enlightened servers allow public clients to authenticate with just client id, omitting the secret:

it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secr…

View full answer

Replies: 1 comment · 1 reply

Comment options

hickford
Jul 4, 2023
Collaborator

It's harmless but confusing. There are two kinds of OAuth client, public clients and confidential clients. It's expected the "secrets" of public clients such as native apps are non-confidential https://datatracker.ietf.org/doc/html/rfc8252#section-8.5

Secrets that are statically included as part of an app distributed to multiple users should not be treated as confidential secrets, as one user may inspect their copy and learn the shared secret.

For this reason, enlightened servers allow public clients to authenticate with just client id, omitting the secret:

it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret, as this serves little value beyond client identification which is already provided by the "client_id" request parameter.

You can omit client secret when authenticating to GitLab or Gitea hickford/git-credential-oauth#17
You must be logged in to vote
1 reply
@eboskma
Comment options

eboskma Jul 4, 2023
Author

Ah, right, that makes sense. Thanks for clearing that up!
Answer selected by eboskma
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
🙏
Q&A
Labels
None yet
2 participants
@eboskma @hickford
Morty Proxy This is a proxified and sanitized view of the page, visit original site.