Reputation: 1020
Open source a project but keep API keys confidential
I'd like to create an open source project using the GitHub API, but I came across a problem having my secret key in the source code. I've read from various places to never include any secret keys in the source and I agree with that. I've also found a couple vague references about authenticating through a web sever instead of making users acquire their own API keys.
From my understanding it would go something like this:
When it comes time to authenticate with GitHub, I would have the user send a request to my server. From there, I would authenticate with GitHub using my own API keys and after a successful authentication, return the signature to the user who made the request. From that point on they could communicate directly with GitHub. Is that correct?
If that is how it works, I would love to know a little more about the process. It's my first time working with APIs so I'm pretty new to this.
Upvotes: 4
Views: 1015
Answers (1)
Reputation: 1020
I never received an answer to this question so I thought I would pass along what I found in the mean time.
The main concern with open sourcing a project that utilizes an API is disclosing your client secret (at least in the case of GitHub, which is why I posted this question). You should never include your client secret in the source. If someone has your client secret and client id they can effectively impersonate your application.
So, that leaves two options.
1). Run your own simple server.
2). Require everyone who forks your project to get their own GitHub API keys.
I would suggest going with option 2. If you open source an application, it's no longer yours, and you don't have a say in what other people will do with it. So, why would you want to be accountable for what someone else's application does while using your client id and secret?
There is also another problem here. Once you authenticate with GitHub and get an Auth Token, you need to somehow securely store that Auth Token. I didn't realize it initially, but it's basically a password. If you store the Auth Token in plain text and someone else recovers it, they can make a request to the API and retrieve all of the users data. (This is using OAuth2 and bearer tokens.)
There's really not a good way to store the auth token on the client. Which also presents another problem when you are trying to open source your project. Whoever uses your open source project will essentially need to use their own server for the initial authentication and then also to store the auth token.
Just some things to keep in mind.
Upvotes: 8
Related Questions
- Making a Git project open source when you have secret keys
- How to push code to Github hiding the API keys?
- Is it safe to make source code containing an API key publically available?
- Sharing github project without sharing API-Key
- How can I not push my API Keys/Credentials to Github, especially Public Repos
- Keeping API Credentials out of GitHub Source Control
- API key encryption for Github?
- Protecting APIs keys on Git-hosted Ruby project
- How to make sure API tokens & passwords stay off github
- Hiding OAuth consumer secret in public github repository and other sensitive data