OAuth2 how to hide the secret

Volumio Development Development talks
1

Hi all,

Say if I wanted to implement some service which requires OAuth2 authentication, how would I go about hiding the secret? The client ID, afaik, is not too important.
For example in the LastFM plugin, I require people to submit their own, but that isn’t good practice. I can’t write C++, so writing code that isn’t easily decompiled is difficult.

Is there a shortcut I can take, or should I learn C++, compile a binary and use that binary instead of javascript files to fetch the token (and maybe more). Obviously this would still make it susceptible to MitM attacks (e.g. in the case of proxies) I presume.

Or maybe a single binary can be written with all client ID’s and secrets, just for authenticating services for Volumio. That way plugin makers only need to reference that binary and call it’s public functions (with credentials); whereas that binary will make the call to the API providing the plugin with the token.

Just thinking out loud here and hoping you will contribute to the discussion :slight_smile: In any case, storing the secrets in the easily readable javascript files is bad practice, even obfuscated.

Thanks and happy Easter all!

2

For the Spotify Connect stuff, I just baked it into the compiled binary. But recently, I also went ahead and implement a simple Oauth handler that can be cross compiled easily for the archs supported by Volumio…

But I think the idea is to move towards a myVolumio-isque serverside service that does all the OAuth stuff.
For example, the spotify plugins uses http://oauth-performer.dfs.volumio.org/spotify

3

Hi,

Thanks for the update, I actually spoke to Michelangelo in the meantime, I concur this should be proprietary code.

This would inevitably mean and updated LastFM plugin would move to MyVolumio. Then again, this eliminates the need to register a new app. There’s always pros and cons :wink: