Change Details

Draft guidance for developers on how to manage OAuth secrets and app confidentiality, including guidance for mobile and desktop apps. #### Client confidentiality When creating a client, the OAuth extension supports a checkbox for "Client is confidential: A confidential client is an application that is capable of keeping a client password confidential to the world. Non-confidential clients are less secure". For the API Portal, our current working copy for this checkbox is: "I can keep my app credentials secure" with a link out to a documentation page. From the backend perspective, this is a purely self-reported field. There's no way for the extension to know whether the credentials are actually secure or not. If a user doesn't check the box, two things happen: 1. When using the authorization code flow, the client must use a PKCE code challenge[[[ https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2 | 1 ]]] and the client credentials are not evaluated when exchanging an authorization code for an access token[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L103 | 2 ]]]. 2. The client cannot use the client credentials flow[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ClientCredentialsGrant.php#L35-L40 | 3 ]]]. #### Guidance for mobile and desktop apps From [OAuth for Developers](https://www.mediawiki.org/wiki/OAuth/For_Developers#Security_benefits_and_trade-offs), "The application secret must be kept secret. Submitting it to source control or putting it into user-accessible code (such as mobile app or desktop application; even if it is obfuscated) undermines the security model and will result in admins forcefully disabling the application. Exceptions are made for example applications demoing OAuth usage, if they are explicitly labeled as such and request limited rights."

Draft guidance for developers on how to manage OAuth secrets and app confidentiality, including guidance for mobile and desktop apps. #### Client confidentiality When creating a client, the OAuth extension supports a checkbox for "Client is confidential: A confidential client is an application that is capable of keeping a client password confidential to the world. Non-confidential clients are less secure". For the API Portal, our current working copy for this checkbox is: "I can keep my app credentials secure" with a link out to a documentation page. From the backend perspective, this is a purely self-reported field. There's no way for the extension to know whether the credentials are actually secure or not. If a user doesn't check the box, two things happen: 1. When using the authorization code flow, the client must use a PKCE code challenge[[[ https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2 | 1 ]]] and the client credentials are not evaluated when exchanging an authorization code for an access token[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L103 | 2 ]]]. 2. The client cannot use the client credentials flow[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ClientCredentialsGrant.php#L35-L40 | 3 ]]]. #### Guidance for mobile and desktop apps From [OAuth for Developers](https://www.mediawiki.org/wiki/OAuth/For_Developers#Security_benefits_and_trade-offs), "The application secret must be kept secret. Submitting it to source control or putting it into user-accessible code (such as mobile app or desktop application; even if it is obfuscated) undermines the security model and will result in admins forcefully disabling the application. Exceptions are made for example applications demoing OAuth usage, if they are explicitly labeled as such and request limited rights." See also: `T255370`

Draft guidance for developers on how to manage OAuth secrets and app confidentiality, including guidance for mobile and desktop apps. #### Client confidentiality When creating a client, the OAuth extension supports a checkbox for "Client is confidential: A confidential client is an application that is capable of keeping a client password confidential to the world. Non-confidential clients are less secure". For the API Portal, our current working copy for this checkbox is: "I can keep my app credentials secure" with a link out to a documentation page. From the backend perspective, this is a purely self-reported field. There's no way for the extension to know whether the credentials are actually secure or not. If a user doesn't check the box, two things happen: 1. When using the authorization code flow, the client must use a PKCE code challenge[[[ https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2 | 1 ]]] and the client credentials are not evaluated when exchanging an authorization code for an access token[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L103 | 2 ]]]. 2. The client cannot use the client credentials flow[[[ https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ClientCredentialsGrant.php#L35-L40 | 3 ]]]. #### Guidance for mobile and desktop apps From [OAuth for Developers](https://www.mediawiki.org/wiki/OAuth/For_Developers#Security_benefits_and_trade-offs), "The application secret must be kept secret. Submitting it to source control or putting it into user-accessible code (such as mobile app or desktop application; even if it is obfuscated) undermines the security model and will result in admins forcefully disabling the application. Exceptions are made for example applications demoing OAuth usage, if they are explicitly labeled as such and request limited rights." See also: `T255370`