Page MenuHomePhabricator

Support Free and Open Source software API clients with OAuth 2.0
Open, Needs TriagePublic

Description

"As a Developer, I want to release my API client software under a Free and Open Source software license, so that [I can empower users, follow my personal principles, and garner support from other software developers]."

(There are probably another hundred reasons someone wants to release software as FLOSS; I don't think that it's important to describe those. I'm happy to change the justification to "because I want to" if we get too hung up on the reasons.)

Our use of OAuth 2.0 client IDs needs to support FLOSS clients. They can't easily keep a client ID/client secret pair secret because the source code is available (although there are options, like providing the key at build time), so we need to have other mechanisms or flows that work.

This isn't a user story on https://www.mediawiki.org/wiki/Core_Platform_Team/Initiatives/OAuth2 , but an open question. I decided to make it a user story here so we can think of it as a problem to solve.

Event Timeline

My interpretation of RFC 6749 is that the client_id is not secret, regardless of source code license. Section 2.2 says "The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication." So I'm not sure if there is any special problem we need to solve here.

eprodromou updated the task description. (Show Details)Nov 20 2019, 5:43 PM

My interpretation of RFC 6749 is that the client_id is not secret, regardless of source code license. Section 2.2 says "The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication." So I'm not sure if there is any special problem we need to solve here.

Thanks for the note. I updated it to point out that the client ID/client secret pair needs to be kept secret, not the ID itself.

I think the state of the art is to not provide a client secret for Open Source, native, or browser-based clients. https://aaronparecki.com/oauth-2-simplified/#creating-an-app