How do applications keep their client credentials secret? I mean the credentials that the service issues to me, the developer, when I register my application with them.

· · Web · 3 · 1 · 0

@tennoseremel Your response sounds like sarcasm, but assuming it's not: how does the app make an OAuth request then, if the credentials are not part of the source code?

@minoru It's not.

Basically, you publish your (compiled) program with credentials built in, but you don't have them in your public source code. So, if someone wants to compile the program by himself, he can do it, but he'll need his own credentials. At least I think that's how it goes.

@tennoseremel I see. This just punts the problem to the distribution maintainers, or forces the developer to become the source of binaries as well. Also, not all services issue credentials to individuals; e.g. doesn't.

I'm still hoping that someone will chime in and describe a magic way to have the cake and eat it too :)

@minoru Many of them require the user to obtain credentials for themselves, I think

@minoru I've run into this before. Many programs (like LibreTranslate) tend to release the software and let users put in the credentials. They have to get their own API key.

You could also distribute one built-in, as mentioned elsewhere in the thread.

Sign in to participate in the conversation
Functional Café

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!