[FEATURE REQUEST] Oauth PKCE support (Oauth client_secret should be optional) #384
Comments
|
If you can show me where in the Firebase REST API that that exists, I can try to implement it, but for some reason I'm not seeing it anywhere myself. |
|
My understanding is that it is part of the process for getting an access token from the Oauth providers, so it isn't part of Firebase's API but part of Google's/Facebook's/etc. Oauth APIs |
|
I don't believe we do anything with those. I believe we rely on the Firebase API to provide everything, outside of possibly a callback thing. That said, I'm 99% sure we can't fix this on our side. I'll try to check tomorrow, but can't promise anything. |
|
Here is Google's documentation on the matter. Note that Google seems to require the client_secret to be included in the "exchange token" step even when using PKCE but it seems to not technically be a secret in this case (see here). |
|
It seems like they are saying it's "okay" for that to not be secret. I'm a bit surprised by that, but am not an expert on OAuth in any way. :P Have you tried it by just not having a value for the client secret - include it in the config as a key/value pair, but not have any value in the value? My thinking is that, if it's truly not needed, Google won't choke on it when the request is sent. But I'm not sure I'm reading the first thing correctly, especially because it doesn't appear to show up anywhere in the actual Firebase documentation, afaict. |
Is your feature request related to a problem? Please describe.
I don't want to have to embed an Oauth client secret into my desktop application. Embedding the client secret into a desktop application is a security vulnerability.
Describe the solution you'd like
PKCE (rfc7636) should be used when client_secret is not provided.
The text was updated successfully, but these errors were encountered: