Is OAuth1.0a safe in Browser?


#1

Lets say I want to write client side twitter API that uses OAuth and runs in browser. That would mean that I have to hard code my consumer secret into script (in browser). This cannot be safe as it is in plain text. So, other can make copies of sites just like mine and use my consumer secret. That means that the only security mechanism is one that would disable callbacks URIs other then what I’ve setted in my app settings page (the one that twitter uses to redirect users after they approve application acting on their behalf. Is this true and how can this be achieved?! Does the “Enable Callback Locking” on app settings page enforcing this or something else?


#2

It is not safe. You should store your application secret securely on a server and proxy requests to the Twitter API through that server.


#3

Then, how come there are API’s like this. Their api works in browser too as far as I can see, and for input it takes javascript object that store consumer secret and key as plain strings, what’s the deal?


#4

The internet is full of people making bad decisions.


#5

Hi I’m the author of like this package. 1st read all the README or tldr at https://github.com/ddo/oauth-1.0a#client-side-usage-caution

Yes storing oauth key or token at client side is forbidden. But there are some cases that we can accept it and take the risk by your own if you understand how it works. Example: electron/node-webkit app, google chrome extension etc…

People gives you tools but how to use it? Let they make their own decisions.


#6

@ddo
All you have to do is to be honest with potential users of your code.
Edit your readme.md and add what you just said above.

But there are some cases that we can accept it and take the risk by your own if you understand how it works.

Again state this clearly in your readme.md. You can’t expect that users should first read your code to find out what it does. Your code is an abstraction, so they don’t need to know inner working of it to understand how it works. And your README doesnt say what your code realy does.

From your README:

Before you start hacking, make sure you understand the limitations posed by cross-domain XMLHttpRequest.

Again this doesn’t cover even closely, what are the dangers of using your code. All it says is that users should know that their apps/pages might not have access to pages from other domains, when using your library. When the real danger is completely compromised app and user security!

I’ve read your README and replied to you here. You did nothing.


#7

Thanks for the input. I’m not sure that this is the right place for a conversation about a specific library so let’s leave this as something to be dealt with on the project itself rather that in the Twitter platform forums. Thanks!


#8