Change Details

Draft guidance for developers on how to manage OAuth secrets and app confidentiality, including guidance for mobile and desktop apps. #### Client confidentiality When creating a client, the OAuth extension supports a checkbox for "Client is confidential: A confidential client is an application that is capable of keeping a client password confidential to the world. Non-confidential clients are less secure". For the API Portal, our current working copy for this checkbox is: "I can keep my app credentials secure" with a link out to a documentation page. From the backend perspective, this is a purely self-reported field. There's no way for the extension to know whether the credentials are actually secure or not. If a user doesn't check the box, two things happen: 1. When using the authorization code flow, the client must use a PKCE code challenge[[[ https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2 | 1 ]]] and the client credentials are not evaluated when exchanging an authorization code for an access token[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L103 | 2 ]]]. 2. The client cannot use the client credentials flow[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ClientCredentialsGrant.php#L35-L40 | 3 ]]]. Notes: * From Reedy: It might be best having something more wordy; making it explicit that we expect some action in case of suspected compromise/breach/poor handling etc. And making it explicit (on the page) what difference checking it or not makes. * From Dejan: Actually, this was something that stood out to me as weird when implementing OAuth2.0. If you cannot keep your secret secure (client not confidential) Oauth says: "Ok, then i just wont check the secret", and grant you full functionality. PKCE CC is required, that is true, but that does not do much in the matter of security Drafts: "I agree to follow [[security best practices]] for key management. If I have reason to believe that the key may have been compromised, I also agree to revoke that key and replace it" #### Guidance for mobile and desktop apps From [OAuth for Developers](https://www.mediawiki.org/wiki/OAuth/For_Developers#Security_benefits_and_trade-offs), "The application secret must be kept secret. Submitting it to source control or putting it into user-accessible code (such as mobile app or desktop application; even if it is obfuscated) undermines the security model and will result in admins forcefully disabling the application. Exceptions are made for example applications demoing OAuth usage, if they are explicitly labeled as such and request limited rights." See also: `T255370`

Draft guidance for developers on how to manage OAuth secrets and app confidentiality, including guidance for mobile and desktop apps. #### Client confidentiality When creating a client, the OAuth extension supports a checkbox for "Client is confidential: A confidential client is an application that is capable of keeping a client password confidential to the world. Non-confidential clients are less secure". For the API Portal, our current working copy for this checkbox is: "I can keep my app credentials secure" with a link out to a documentation page. From the backend perspective, this is a purely self-reported field. There's no way for the extension to know whether the credentials are actually secure or not. If a user doesn't check the box, two things happen: 1. When using the authorization code flow, the client must use a PKCE code challenge[[[ https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2 | 1 ]]] and the client credentials are not evaluated when exchanging an authorization code for an access token[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L103 | 2 ]]]. 2. The client cannot use the client credentials flow[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ClientCredentialsGrant.php#L35-L40 | 3 ]]]. Notes: * From Reedy: It might be best having something more wordy; making it explicit that we expect some action in case of suspected compromise/breach/poor handling etc. And making it explicit (on the page) what difference checking it or not makes. * From Dejan: Actually, this was something that stood out to me as weird when implementing OAuth2.0. If you cannot keep your secret secure (client not confidential) Oauth says: "Ok, then i just wont check the secret", and grant you full functionality. PKCE CC is required, that is true, but that does not do much in the matter of security Drafts for Create App flow: "I agree to follow [[security best practices]] for key management. If I have reason to believe that the key may have been compromised, I also agree to revoke that key and replace it" #### Guidance for mobile and desktop apps From [OAuth for Developers](https://www.mediawiki.org/wiki/OAuth/For_Developers#Security_benefits_and_trade-offs), "The application secret must be kept secret. Submitting it to source control or putting it into user-accessible code (such as mobile app or desktop application; even if it is obfuscated) undermines the security model and will result in admins forcefully disabling the application. Exceptions are made for example applications demoing OAuth usage, if they are explicitly labeled as such and request limited rights." See also: `T255370`

Draft guidance for developers on how to manage OAuth secrets and app confidentiality, including guidance for mobile and desktop apps. #### Client confidentiality When creating a client, the OAuth extension supports a checkbox for "Client is confidential: A confidential client is an application that is capable of keeping a client password confidential to the world. Non-confidential clients are less secure". For the API Portal, our current working copy for this checkbox is: "I can keep my app credentials secure" with a link out to a documentation page. From the backend perspective, this is a purely self-reported field. There's no way for the extension to know whether the credentials are actually secure or not. If a user doesn't check the box, two things happen: 1. When using the authorization code flow, the client must use a PKCE code challenge[[[ https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2 | 1 ]]] and the client credentials are not evaluated when exchanging an authorization code for an access token[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L103 | 2 ]]]. 2. The client cannot use the client credentials flow[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ClientCredentialsGrant.php#L35-L40 | 3 ]]]. Notes: * From Reedy: It might be best having something more wordy; making it explicit that we expect some action in case of suspected compromise/breach/poor handling etc. And making it explicit (on the page) what difference checking it or not makes. * From Dejan: Actually, this was something that stood out to me as weird when implementing OAuth2.0. If you cannot keep your secret secure (client not confidential) Oauth says: "Ok, then i just wont check the secret", and grant you full functionality. PKCE CC is required, that is true, but that does not do much in the matter of security Drafts for Create App flow: "I agree to follow [[security best practices]] for key management. If I have reason to believe that the key may have been compromised, I also agree to revoke that key and replace it" #### Guidance for mobile and desktop apps From [OAuth for Developers](https://www.mediawiki.org/wiki/OAuth/For_Developers#Security_benefits_and_trade-offs), "The application secret must be kept secret. Submitting it to source control or putting it into user-accessible code (such as mobile app or desktop application; even if it is obfuscated) undermines the security model and will result in admins forcefully disabling the application. Exceptions are made for example applications demoing OAuth usage, if they are explicitly labeled as such and request limited rights." See also: `T255370`