[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Safely storing an application's API keys
From:       Wolthera <griffinvalley () gmail ! com>
Date:       2021-01-18 15:08:11
Message-ID: CAN80MtH_RS-KqaP+j5B_ZyH99pxpmmABNau+ESN5oU5AOY__pQ () mail ! gmail ! com
[Download RAW message or body]

On Mon, Jan 18, 2021 at 3:55 PM Nicolás Alvarez
<nicolas.alvarez@gmail.com> wrote:
> 
> 
> Protecting an API key on a locally-running application is impossible even for a \
> closed source app. It's equivalent to the impossible task DRM intends to achieve \
> (hiding the content decryption key from the user while decrypting content on their \
> computer). If you give the application to the user, as opposed to running \
> everything in a server, the key *will* be publicly available. 
> https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016
>  
> --
> Nicolas

It's in fact so impossible that oAuth experts are advocating a number
of extra keys (such as proof key for code exchange and application
state) to be given in oAuth flow. Stuff like IndieAuth even does away
with the 'client secret' (an oAuth api key), because it just makes no
sense in projects with public code.

I was looking into this a while back, oAuth wise, neither the o2 qt
library for oAuth supports the proof key (pkce) nor does the oAuth
plugin for SSO (which kaccounts uses), and then I ran out of time to
look into this.

-- 
Wolthera


[prev in list] [next in list] [prev in thread] [next in thread]