New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth web flow endpoints don't support CORS #330

Open
stuartpb opened this Issue Jan 8, 2015 · 8 comments

Comments

Projects
None yet
7 participants
@stuartpb

stuartpb commented Jan 8, 2015

All of the API v3 endpoints on api.github.com support CORS (https://developer.github.com/v3/#cross-origin-resource-sharing): however, the github.com endpoints involved in creating an OAuth2 access token via the Web Flow, specifically https://github.com/login/oauth/access_token, don't support the OPTIONS method or CORS headers necessary to POST to it and get the access_token back.

This is a bug. Denying cross-origin access here doesn't help security, as it is most easily worked around by doing the POST requests through a potentially-insecure third-party open reverse proxy (as implemented using https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token on http://stuartpb.github.io/gistachio/demo.html).

@stuartpb

This comment has been minimized.

Show comment
Hide comment
@stuartpb

stuartpb Jan 8, 2015

On 1/8/2015 12:56 AM, Ivan Žužak wrote:

Hi Stuart,

Thanks for the feedback. The GitHub API's OAuth implementation doesn't support the implicit OAuth flow currently, which would allow you to complete the OAuth flow from a browser:

https://tools.ietf.org/html/rfc6749#section-4.2

Improving our implementation so that this is supported is already on our wishlist, but I can't say if/when it might happen. For now, you should use a server-side component to complete the flow (your own server-side component, not a potentially-insecure third-party component you can't really trust).

Allowing CORS for the endpoint you mentioned would mean that you could complete this step of the Web flow from a browser:

https://developer.github.com/v3/oauth/#github-redirects-back-to-your-site

And this would mean that you're hard-coding your client_id and client_secret into a webpage (or JS file loaded into that webpage) for everyone to see. This would indeed cause security concerns since the client_secret should be kept secret. If someone got hold of your client_id and client_secret, they could impersonate you application, and for example -- wipe all the tokens for that application:

https://developer.github.com/v3/oauth_authorizations/#revoke-all-authorizations-for-an-application

Let me know if you have any other feedback or questions.

Cheers,
Ivan

stuartpb commented Jan 8, 2015

On 1/8/2015 12:56 AM, Ivan Žužak wrote:

Hi Stuart,

Thanks for the feedback. The GitHub API's OAuth implementation doesn't support the implicit OAuth flow currently, which would allow you to complete the OAuth flow from a browser:

https://tools.ietf.org/html/rfc6749#section-4.2

Improving our implementation so that this is supported is already on our wishlist, but I can't say if/when it might happen. For now, you should use a server-side component to complete the flow (your own server-side component, not a potentially-insecure third-party component you can't really trust).

Allowing CORS for the endpoint you mentioned would mean that you could complete this step of the Web flow from a browser:

https://developer.github.com/v3/oauth/#github-redirects-back-to-your-site

And this would mean that you're hard-coding your client_id and client_secret into a webpage (or JS file loaded into that webpage) for everyone to see. This would indeed cause security concerns since the client_secret should be kept secret. If someone got hold of your client_id and client_secret, they could impersonate you application, and for example -- wipe all the tokens for that application:

https://developer.github.com/v3/oauth_authorizations/#revoke-all-authorizations-for-an-application

Let me know if you have any other feedback or questions.

Cheers,
Ivan

@stuartpb

This comment has been minimized.

Show comment
Hide comment
@stuartpb

stuartpb Jan 8, 2015

Ivan has a point, and implicit OAuth really would be the correct solution here. The app I'm exposing the client_secret in is a demo, so I don't really care if it can be impersonated or wiped, but in general sending client_secret to the browser is wrong, and I certainly wouldn't do it for any meaningful app.

(I'd been considering it for a browser extension, but I didn't know / hadn't considered that the client_secret can be used to invalidate all tokens, so now I'm definitely going to set up a lightweight token generator server to obscure the secret.)

However, I'm not really a fan of GitHub's "security through not fixing bugs that are situationally mildly discouraging" rationale (as seen here and in #316).

stuartpb commented Jan 8, 2015

Ivan has a point, and implicit OAuth really would be the correct solution here. The app I'm exposing the client_secret in is a demo, so I don't really care if it can be impersonated or wiped, but in general sending client_secret to the browser is wrong, and I certainly wouldn't do it for any meaningful app.

(I'd been considering it for a browser extension, but I didn't know / hadn't considered that the client_secret can be used to invalidate all tokens, so now I'm definitely going to set up a lightweight token generator server to obscure the secret.)

However, I'm not really a fan of GitHub's "security through not fixing bugs that are situationally mildly discouraging" rationale (as seen here and in #316).

@ericsoco

This comment has been minimized.

Show comment
Hide comment
@ericsoco

ericsoco Aug 16, 2016

I wasted the better part of a day on this dead end, trying to get the implicit OAuth2 flow to work w/ GitHub's API. I didn't notice the fine print at the top of the docs.

It seems like way too much of a hurdle to have to spin up a server just to connect an application to GitHub. But for future reference, here's a simple one, tailor-made for this problem:
https://github.com/prose/gatekeeper

ericsoco commented Aug 16, 2016

I wasted the better part of a day on this dead end, trying to get the implicit OAuth2 flow to work w/ GitHub's API. I didn't notice the fine print at the top of the docs.

It seems like way too much of a hurdle to have to spin up a server just to connect an application to GitHub. But for future reference, here's a simple one, tailor-made for this problem:
https://github.com/prose/gatekeeper

@wonderbeyond

This comment has been minimized.

Show comment
Hide comment
@wonderbeyond

wonderbeyond Feb 8, 2017

I want to make a pure-javascript in-browser gist client, So CORS support is necessary!

wonderbeyond commented Feb 8, 2017

I want to make a pure-javascript in-browser gist client, So CORS support is necessary!

@axetroy

This comment has been minimized.

Show comment
Hide comment
@axetroy

axetroy Apr 25, 2017

@wonderbeyond
That's great! I am doing something like you.

a serveless website, All data from Github api, so back the point.

CORS support is necessary!

axetroy commented Apr 25, 2017

@wonderbeyond
That's great! I am doing something like you.

a serveless website, All data from Github api, so back the point.

CORS support is necessary!

@axetroy axetroy referenced this issue Apr 25, 2017

Closed

博客站点支持Github登陆/发帖/评论 #3

2 of 4 tasks complete
@moodysalem

This comment has been minimized.

Show comment
Hide comment
@moodysalem

moodysalem Jul 17, 2017

I want to build a password database hosted in a private GitHub repository and I can't build trust because the access code has to be sent to an endpoint I host that trades a access code for a token
pdelta/pdelta.github.io#1

moodysalem commented Jul 17, 2017

I want to build a password database hosted in a private GitHub repository and I can't build trust because the access code has to be sent to an endpoint I host that trades a access code for a token
pdelta/pdelta.github.io#1

@amaralDaniel

This comment has been minimized.

Show comment
Hide comment
@amaralDaniel

amaralDaniel Feb 7, 2018

Any updates on this?

amaralDaniel commented Feb 7, 2018

Any updates on this?

@mrahman1122

This comment has been minimized.

Show comment
Hide comment
@mrahman1122

mrahman1122 Apr 4, 2018

Have there been any updates on this issue??

mrahman1122 commented Apr 4, 2018

Have there been any updates on this issue??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment