keeping client_secret secret
96 views
Skip to first unread message
Adam Cox
Jul 12, 2012, 2:46:18 AM7/12/12
to podi...@googlegroups.com
I want to access an app in podio using javascript. How do I keep the client_secret actually secret? I can't just hard-code it into my javascript. Then anybody can see it and use it to manipulate items in my app.
thanks,
Adam
Kenneth Auchenberg
Jul 12, 2012, 3:14:57 AM7/12/12
to podi...@googlegroups.com
Hi Adam,
If you are trying to use our API directly from the browser, you should use the OAuth2 client authentication flow, where you don't need to expose the client_secret, and the access token is returned in a url fragment, so it will only be readable in the browser.
Read more about it here https://developers.podio.com/authentication/client_side
If you are in a node-context I would recommend you using this podio wrapper: https://github.com/haugstrup/podiojs
//Kenneth Auchenberg
Read more about it here https://developers.podio.com/authentication/client_side
If you are in a node-context I would recommend you using this podio wrapper: https://github.com/haugstrup/podiojs
//Kenneth Auchenberg
Developer, Podio
Adam Cox
Jul 12, 2012, 3:28:21 AM7/12/12
to podi...@googlegroups.com
Thanks for the fast reply. I'm not using node. I'm actually running my webpage in a couchapp.
So, what I want to do is just grab all of the items in a particular app and display them on a webpage... I'm not a developer (i'm a physicist) and the oauth stuff is a bit new to me. The webpage should be able to display the information without the user having to authenticate anything... the people that will be looking at my webpage are not podio users, nor do i want them to be.
Is what I want to do possible?
Wouldn't it be nice if I could just replicate my "app" database to my local CouchDB and then my webpage would just pull from my local couch. :)
thanks again.
adam
Casper Fabricius
Jul 12, 2012, 3:49:26 AM7/12/12
to podi...@googlegroups.com
Hi Adam,
I can see from your other thread that you already use app authentication. That's the way to go, and as long as you can do the actual authentication part server side (I assume a couch app can do that?) you should have a secure app where the user does not need to login.
/Casper
I can see from your other thread that you already use app authentication. That's the way to go, and as long as you can do the actual authentication part server side (I assume a couch app can do that?) you should have a secure app where the user does not need to login.
/Casper
Adam Cox
Jul 12, 2012, 3:52:29 AM7/12/12
to podi...@googlegroups.com
Hi… sorry for the dual threads.
So, the couchapp just serves up a webpage, with all its javascript. I suppose I could figure out a way to make it run something server-side, and then i would put the client_secret in a server-side script… but that's not very trivial. obviously, embedding the client_secret in the javascript doesn't work either.
i'll jump on the couchdb irc channel and see if they can tell me how to run something on the server-side.
I still can't read the item/app/{app_id} with App Authentication though. :)
Adam
So, the couchapp just serves up a webpage, with all its javascript. I suppose I could figure out a way to make it run something server-side, and then i would put the client_secret in a server-side script… but that's not very trivial. obviously, embedding the client_secret in the javascript doesn't work either.
i'll jump on the couchdb irc channel and see if they can tell me how to run something on the server-side.
I still can't read the item/app/{app_id} with App Authentication though. :)
Adam
Reply all
Reply to author
Forward
0 new messages