AnsweredAssumed Answered

What are the risks of exposing the Client ID and Secret of a developer application?

Question asked by nbone on Nov 18, 2016
Latest reply on Jan 24, 2017 by bello01

I'm developing a Chrome extension that consumes the Flowdock API.  It uses the OAuth 2.0 flow so the user of the extension can authorize the extension to consume the Flowdock API on their behalf (see Authentication | Flowdock API).  In order to do this, I had to register a Developer Application to identify the extension.  The problem I'm struggling with is that the extension has to store the Client ID and Client Secret to be able to identify itself to Flowdock, but extension code is just plain-text, so anyone who downloads the extension can therefore see the Client Secret.  On the one hand this doesn't seem like a big risk, as the extension can only do things that the authenticated Flowdock user themselves could do, and the OAuth Redirect URI will only work with the specific extension ID (i.e. if you tried to build another app using the same Client ID and Client Secret then auth would fail).  On the other hand exposing credentials feels wrong, and the docs say "The Client Secret should not be shared."


A related question (perhaps I should post this separately?): if I lose my Flowdock account (e.g. if my company switches to a different tool), what happens to my Developer Application and the Chrome extension that depends on it?  I'd like for the extension to keep working for other users even if I lose my account.