#4 OAuth2 option: add optional client secret

[darioalessandro]

Closes #4

OAuth2 providers like google require client_secret.

Test:

[ctron]

Thanks for the PR.

To my understanding, the secret should not be put into a frontend application, as it is "secret". So adding a secret into a frontend application would be a bad idea IMHO.

I guess that is what "public clients" (without a secret) are for: https://oauth.net/2/client-types/

[junderw]

The client (browser) should never hold the client (web service) secret.

Remember, if the "client" in client_id and client_secret was referring to the browser client, why do all of your visitors use the same client_id and client_secret?

This should tell you that "client" in this context is the website server maintainer.

The frontend code sent to the browser should only contain "client_id".

[junderw]

Here's a simple OAuth2 setup (though it is nodeJS) that is easy to follow and I think demonstrates the flow of OAuth2 very very well.

https://www.youtube.com/watch?v=qTsqpYz5cGE

[darioalessandro]

Hey friends, thank you so much for your feedback. @ctron i am planning to use this lib in the context of an electron app, so it is similar to the desktop app flow described here:

https://developers.google.com/identity/protocols/oauth2

"Installed applications

The Google OAuth 2.0 endpoint supports applications that are installed on devices such as computers, mobile devices, and tablets. When you create a client ID through the Google API Console, specify that this is an Installed application, then select Android, Chrome app, iOS, Universal Windows Platform (UWP), or Desktop app as the application type.

The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)"

[darioalessandro]

It might be the case that I should create a different crate for desktop apps so that this crate remains focused on the web client scenario (which is the most common use case for yew anyways).

[ctron]

Taking a look at "Mobile & Desktop Apps", which I guess an Electron app would, it doesn't mention client secrets though: https://developers.google.com/identity/protocols/oauth2/native-app and only has a warning that client secrets aren't secure:

Note: incremental authorization with installed apps is not supported due to the fact that the client cannot keep the client_secret confidential.

I am ok with adding this in general. I just don't want it to look like that using this is a good idea :)

So adding this, I would ask you make a dedicated note on the field, explaining the situation. Also, I would ask to move the value out of the standard Config::new function, maybe let the user override later. Maybe create a with_secret function. But having this as the part of the default new function makes it look like using this is a good idea, which in most cases I believe it is not.

[darioalessandro]

I hear you and it makes sense 😄

[ctron]

Sorry, wrong thread.