Skip to content
This repository has been archived by the owner on Jul 7, 2020. It is now read-only.

Unable to find client secret #368

Open
bgornicki opened this issue Mar 10, 2019 · 14 comments
Open

Unable to find client secret #368

bgornicki opened this issue Mar 10, 2019 · 14 comments

Comments

@bgornicki
Copy link

I need to have my app "client secret" but it's impossible to get it from the dashboard.
@bonustrack
Copy link
Contributor

@bgornicki We've changed the flow, now the secret is not known by SteemConnect so if you don't have it you need to create a new reset, there isn't yet an easy way yet on the interface to do that but here is a snippet that should help: https://gist.github.com/bonustrack/ba0202345808a1d1216c1ec02668c0b1

@r351574nc3
Copy link

I had the same problem, but I can't bring myself to try it. It looks like it adds the secret to the json_metadata which is publicly available. @bgornicki did you try this? Did it work for you?

@bgornicki
Copy link
Author

The problem is that the Steem account for my application was created using Steemconnect and I don't have the keys to do json_metadata update.

@bonustrack
Copy link
Contributor

@r351574nc3 the param name is misleading, on the json_metadata only the hash of the secret is available on the secret param.
@bgornicki If the steem account was created on steemconnect the active key of the account is same as the creator account active key, your own account.

@bgornicki
Copy link
Author

Thank you, I was not aware of that and it solves my problem.

@r351574nc3
Copy link

r351574nc3 commented Mar 15, 2019
edited
Loading

@bonustrack Ok, I see. The hash obfuscates the secret which makes it fine to put into json_metadata. This kinda turns my assumption on its head. I was thinking the secret hash was my CLIENT_SECRET. Can you explain how this works if I'm creating the secret instead of using the JWT_SECRET in steemconnect? I guess what I really want to know is

  1. How does this regenerate my CLIENT_SECRET?
  2. How can I verify it is working properly with steemconnect?

@bgornicki
Copy link
Author

@r351574nc3 you need to generate secret by yourself, hash it using code snippet provided by @bonustrack and update json_metadata on your application account. You don't need to do that if you don't need to know your secret (for example to verify returned token).

@r351574nc3
Copy link

@bgornicki you repeated exactly what I said. I understand what the steps are. That's not what I'm asking or misunderstand here.

I don't see how this is securing things if my hash is out there. It hasn't been said, so all I can do is assume. I'm going to assume the following: (@bonustrack please verify)

  1. The secret generated is what's passed as client_secret to steemconnect
  2. The process for validating the client_secret is the following
    1. steemconnect gets the owner id from of the app
    2. steemconnect gets the account json_metadata
    3. steemconnect gets the Secret field
    4. steemconnect validates the client_secret by unhashing it. (I realize this could be wrong because then steemconnect would know the secret which the whole point of this is to avoid).

The above makes sense because then it means the reason the secret hash is in json_metadata is that it's public on purpose for steemconnect to access it. My only guess is so that it can validate the client_secret. Of course, this may make sense, but my skeptical nature makes me question it. I am skeptical because while it does make sense I question "Why make the hash public?". The only one going to use this information is steemconnect. Public on purpose implies the public needs to know it to decentralize or distribute the information (like PGP keys). I don't see the point here though unless there's something I'm missing. I just talked myself into thinking I'm wrong because there's gotta be more here, right?

@r351574nc3
Copy link

I tried the above and I am getting 401 Unauthorized, so I guess I must have been wrong. You don't pass secret as client_secret. I'm not sure what to use then.

@digital-mine
Copy link

I'm trying to use WP social login with steemconnect.
I generated the client secret with the js script @bonustrack posted above, but I would like to know which one exactly is the application ID and where to find it.

Thanks

@bonustrack
Copy link
Contributor

The application id is simply the app account username @digital-mine

@r351574nc3
Copy link

Ok. I used my account instead of my app account 🤦 My app account was created through steemconnect v2. I don't have any of the keys because steemconnect holds the keys, so I can't update the profile. I'm basically locked out at this point. I tried https://app.steemconnect.com/accounts/recover Still waiting on recovery.

@bgornicki
Copy link
Author

@r351574nc3 I asked the same question and here is the answer.

@r351574nc3
Copy link

r351574nc3 commented Apr 3, 2019
edited
Loading

@bgornicki Oh, I missed that earlier. Somehow, that didn't register to me at the time as valuable information. Thanks. For those that wonder which part was useful from @bonustrack :

If the steem account was created on steemconnect the active key of the account is same as the creator account active key, your own account.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@r351574nc3 @bgornicki @bonustrack @digital-mine