Secure deployment of client secrets in python
Question
I'm planning to write a Kodi (former XBMC) plugin for Spotify using Python . Some time ago, Spotify deprecated their old library libspotify and introduced a new ReST based WebAPI . I would like to use this api to request data like the playlists, followed albums and other user specific stuff from Spotify. This WebAPI uses the OAUTH mechanism to authorize an application to use user-specific data. Thus, I require a Client ID and a Client Secret . While the Client ID is public I have not problem in storing it in the sourcecode. But what about the Client Secret ? This secret is required by the application to authenticate itself at spotify. Thus, it needs to be deployed as well.
How do I securly deploy this secret, such that a user of the plugin is not able to read out the secret?
I can't use obfuscation techniques because python is interpreted and a user can simply start an interpreter, import my modules and read out the reconstructed secret. The same holds for encrypting the key. The application needs to be able to decrypt the secret and because of this, I would need to deploy the encryption key as well. This is a chicken or egg problem.
Any suggestions about this? How does other software solve this problem?
EDIT: I just found this RFC6819 . Seems like this is a general problem in oauth .
1 answers
solution1
2 ACCPTED 2016-09-16 08:44:18
在这种情况下,您可以使用Implicit Grant Flow ,它是为客户端应用程序设计的,在这些应用程序中,出于安全原因存储机密是不切实际的。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.