Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth web flow endpoints don't support CORS #330

Open
stuartpb opened this issue Jan 8, 2015 · 17 comments
Open

OAuth web flow endpoints don't support CORS #330

stuartpb opened this issue Jan 8, 2015 · 17 comments

Comments

@stuartpb
Copy link

@stuartpb stuartpb commented Jan 8, 2015

All of the API v3 endpoints on api.github.com support CORS (https://developer.github.com/v3/#cross-origin-resource-sharing): however, the github.com endpoints involved in creating an OAuth2 access token via the Web Flow, specifically https://github.com/login/oauth/access_token, don't support the OPTIONS method or CORS headers necessary to POST to it and get the access_token back.

This is a bug. Denying cross-origin access here doesn't help security, as it is most easily worked around by doing the POST requests through a potentially-insecure third-party open reverse proxy (as implemented using https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token on http://stuartpb.github.io/gistachio/demo.html).

@stuartpb
Copy link
Author

@stuartpb stuartpb commented Jan 8, 2015

On 1/8/2015 12:56 AM, Ivan Žužak wrote:

Hi Stuart,

Thanks for the feedback. The GitHub API's OAuth implementation doesn't support the implicit OAuth flow currently, which would allow you to complete the OAuth flow from a browser:

https://tools.ietf.org/html/rfc6749#section-4.2

Improving our implementation so that this is supported is already on our wishlist, but I can't say if/when it might happen. For now, you should use a server-side component to complete the flow (your own server-side component, not a potentially-insecure third-party component you can't really trust).

Allowing CORS for the endpoint you mentioned would mean that you could complete this step of the Web flow from a browser:

https://developer.github.com/v3/oauth/#github-redirects-back-to-your-site

And this would mean that you're hard-coding your client_id and client_secret into a webpage (or JS file loaded into that webpage) for everyone to see. This would indeed cause security concerns since the client_secret should be kept secret. If someone got hold of your client_id and client_secret, they could impersonate you application, and for example -- wipe all the tokens for that application:

https://developer.github.com/v3/oauth_authorizations/#revoke-all-authorizations-for-an-application

Let me know if you have any other feedback or questions.

Cheers,
Ivan

@stuartpb
Copy link
Author

@stuartpb stuartpb commented Jan 8, 2015

Ivan has a point, and implicit OAuth really would be the correct solution here. The app I'm exposing the client_secret in is a demo, so I don't really care if it can be impersonated or wiped, but in general sending client_secret to the browser is wrong, and I certainly wouldn't do it for any meaningful app.

(I'd been considering it for a browser extension, but I didn't know / hadn't considered that the client_secret can be used to invalidate all tokens, so now I'm definitely going to set up a lightweight token generator server to obscure the secret.)

However, I'm not really a fan of GitHub's "security through not fixing bugs that are situationally mildly discouraging" rationale (as seen here and in #316).

@ericsoco
Copy link

@ericsoco ericsoco commented Aug 16, 2016

I wasted the better part of a day on this dead end, trying to get the implicit OAuth2 flow to work w/ GitHub's API. I didn't notice the fine print at the top of the docs.

It seems like way too much of a hurdle to have to spin up a server just to connect an application to GitHub. But for future reference, here's a simple one, tailor-made for this problem:
https://github.com/prose/gatekeeper

@wonderbeyond
Copy link

@wonderbeyond wonderbeyond commented Feb 8, 2017

I want to make a pure-javascript in-browser gist client, So CORS support is necessary!

@axetroy
Copy link

@axetroy axetroy commented Apr 25, 2017

@wonderbeyond
That's great! I am doing something like you.

a serveless website, All data from Github api, so back the point.

CORS support is necessary!

@moodysalem
Copy link

@moodysalem moodysalem commented Jul 17, 2017

I want to build a password database hosted in a private GitHub repository and I can't build trust because the access code has to be sent to an endpoint I host that trades a access code for a token
pdelta/pdelta.github.io#1

@amaralDaniel
Copy link

@amaralDaniel amaralDaniel commented Feb 7, 2018

Any updates on this?

@mrahman1122
Copy link

@mrahman1122 mrahman1122 commented Apr 4, 2018

Have there been any updates on this issue??

@chulman444
Copy link

@chulman444 chulman444 commented Dec 26, 2018

The request is successful in the network tab of the chrome dev tool. I can see my access_token in it, however I can't retrieve the access_token in my script because of the error ... blocked by CORS policy: No 'Access-Control-Allow-Origin' header.

Sending the access_token request with axios.post(url_with_oauth_params).

So, is this resolved, or was it like this before?; seeing successful request-response in the network tab, but unable to retrieve it in the script?

@Cobertos
Copy link

@Cobertos Cobertos commented Oct 7, 2019

Running into this today, wanted to make a dashboard for a client to regenerate their stuff with GitHub Actions by hitting a repository_dispatch endpoint without hardcoding credentials but now this doesn't seem possible.

Curious if this is in the backlog or planned for a fix in the future?

EDIT: My fix was to make a separate GitHub account with only access to the single private repository it needed access to for the dashboard and then hardcoded the credentials into the page that's only being accessed by the client.

@determin1st
Copy link

@determin1st determin1st commented Oct 20, 2019

you can bypass it... run chrome in a separate dir with:

chrome --disable-web-security --user-data-dir="<some_dir_here>"

cors is invented by the braindead corporate zombie.

@Cobertos
Copy link

@Cobertos Cobertos commented Oct 20, 2019

  1. This is not a valid workaround to ask of people that aren't yourself.
  2. Turning off security features with valid use cases is a terrible way to permanently work around this.
@determin1st
Copy link

@determin1st determin1st commented Oct 20, 2019

ive spent hours reading github guide to assemble stuff.. sure, i wont ever use github api but for testing purposes and for history of the FAIL it's completely okay. github machine cant fix this issue - ha ha.

@GeekyDeaks
Copy link

@GeekyDeaks GeekyDeaks commented Oct 28, 2019

I ended up here from another issue. I'm not sure this would work as expected since a CORS policy of Access-Control-Allow-Origin: * should restrict the use of credentials anyway

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

@steplerbox
Copy link

@steplerbox steplerbox commented Jan 6, 2020

Web application flow header looks confusing when I'm trying to get auth token from my WEB APPLICATION and getting CORS policy error.

@jens-markussen
Copy link

@jens-markussen jens-markussen commented Apr 29, 2020

I am also getting into CORS problems while trying to access login/oauth/authorize endpoint from my Javascript application which runs in browser (no server part, all straight to GitHub API).....

Will this be addressed?

adessoCucumber pushed a commit to adessoAG/Seed-Test that referenced this issue Sep 23, 2020
sommerfe added a commit to adessoAG/Seed-Test that referenced this issue Oct 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.