Clever Geek Handbook

How to secure client secret for OAuth2 login to Parse server?

I want users of my macos app to be able to securely log into my Parse Server using Oauth2 third party login. I have been looking for the best approach for this, but there are still some problems. If I understand correctly, logging in requires:

  • Enable oauth in my Parse server config file (for twitter, google, etc.).
  • Get an access token to a provider (e.g. twitter) using client side OAuth login. I am currently using OAuthSwift .

  • Log into Parse using the provided access token (of 2) as suggested in the swift example given here , i.e.

    [[PFUser logInWithAuthTypeInBackground:provider authData:authData] continueWithBlock:^id(BFTask<id> *task) {
 return task;
}];

This login approach requires the use of a client and client key for each provider. How can I safely store these secret keys on my analysis server and access them programmatically? Should I use PFConfig and access them at runtime? It's safe? Or am I doing something wrong here? If anyone has a better approach or example of how I should enable OAuth login, I would appreciate it (since I'm on macos, I can't use TwitterUtils and FacebookUtils).

+3


source to share


1 answer


No private key should ever be used on your client. The client key can be considered "public" and in fact is optional (although recommended).

Your private key should only be stored on your server, preferably as a config / env variable (Note: NOT PFCONFIG). Any use of it must be on your server and you can create a cloud code function that will use the key as needed and return the required values ​​to your client. The client has to call this, get the key you need, and then use it appropriately.



Although I'm also not familiar with the client's private key at all? This is the first thing I saw. I wonder if you misunderstood any of the documentation?

+1


source






More articles:


All Articles