-
Notifications
You must be signed in to change notification settings - Fork 129
OAuth web flow endpoints don't support CORS #330
Comments
On 1/8/2015 12:56 AM, Ivan Žužak wrote:
|
Ivan has a point, and implicit OAuth really would be the correct solution here. The app I'm exposing the client_secret in is a demo, so I don't really care if it can be impersonated or wiped, but in general sending client_secret to the browser is wrong, and I certainly wouldn't do it for any meaningful app. (I'd been considering it for a browser extension, but I didn't know / hadn't considered that the client_secret can be used to invalidate all tokens, so now I'm definitely going to set up a lightweight token generator server to obscure the secret.) However, I'm not really a fan of GitHub's "security through not fixing bugs that are situationally mildly discouraging" rationale (as seen here and in #316). |
I wasted the better part of a day on this dead end, trying to get the implicit OAuth2 flow to work w/ GitHub's API. I didn't notice the fine print at the top of the docs. It seems like way too much of a hurdle to have to spin up a server just to connect an application to GitHub. But for future reference, here's a simple one, tailor-made for this problem: |
I want to make a pure-javascript in-browser gist client, So CORS support is necessary! |
@wonderbeyond a serveless website, All data from Github api, so back the point. CORS support is necessary! |
I want to build a password database hosted in a private GitHub repository and I can't build trust because the access code has to be sent to an endpoint I host that trades a access code for a token |
Any updates on this? |
Have there been any updates on this issue?? |
The request is successful in the network tab of the chrome dev tool. I can see my Sending the access_token request with So, is this resolved, or was it like this before?; seeing successful request-response in the network tab, but unable to retrieve it in the script? |
Running into this today, wanted to make a dashboard for a client to regenerate their stuff with GitHub Actions by hitting a Curious if this is in the backlog or planned for a fix in the future? EDIT: My fix was to make a separate GitHub account with only access to the single private repository it needed access to for the dashboard and then hardcoded the credentials into the page that's only being accessed by the client. |
you can bypass it... run chrome in a separate dir with:
cors is invented by the braindead corporate zombie. |
|
ive spent hours reading github guide to assemble stuff.. sure, i wont ever use github api but for testing purposes and for history of the FAIL it's completely okay. github machine cant fix this issue - ha ha. |
I ended up here from another issue. I'm not sure this would work as expected since a CORS policy of https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials |
Web application flow header looks confusing when I'm trying to get auth token from my WEB APPLICATION and getting CORS policy error. |
I am also getting into CORS problems while trying to access Will this be addressed? |
Use url like that. It will work. https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token |
will not work due to isaacs/github#330
will not work due to isaacs/github#330
You send your secrets to this endpoint and by this give them access to your private code - dont do this ever. |
All of the API v3 endpoints on api.github.com support CORS (https://developer.github.com/v3/#cross-origin-resource-sharing): however, the github.com endpoints involved in creating an OAuth2 access token via the Web Flow, specifically https://github.com/login/oauth/access_token, don't support the OPTIONS method or CORS headers necessary to POST to it and get the access_token back.
This is a bug. Denying cross-origin access here doesn't help security, as it is most easily worked around by doing the POST requests through a potentially-insecure third-party open reverse proxy (as implemented using https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token on http://stuartpb.github.io/gistachio/demo.html).
The text was updated successfully, but these errors were encountered: