Skip to content
This repository has been archived by the owner on Nov 18, 2021. It is now read-only.

OAuth web flow endpoints don't support CORS #330

Open
stuartpb opened this issue Jan 8, 2015 · 18 comments
Open

OAuth web flow endpoints don't support CORS #330

stuartpb opened this issue Jan 8, 2015 · 18 comments
Labels
API Requests related to the GitHub developer API authentication SMS, 2FA, MFA, WebAuthn, passwords, and other related authentication schemes bug

Comments

@stuartpb
Copy link

stuartpb commented Jan 8, 2015

All of the API v3 endpoints on api.github.com support CORS (https://developer.github.com/v3/#cross-origin-resource-sharing): however, the github.com endpoints involved in creating an OAuth2 access token via the Web Flow, specifically https://github.com/login/oauth/access_token, don't support the OPTIONS method or CORS headers necessary to POST to it and get the access_token back.

This is a bug. Denying cross-origin access here doesn't help security, as it is most easily worked around by doing the POST requests through a potentially-insecure third-party open reverse proxy (as implemented using https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token on http://stuartpb.github.io/gistachio/demo.html).

@stuartpb
Copy link
Author

stuartpb commented Jan 8, 2015

On 1/8/2015 12:56 AM, Ivan Žužak wrote:

Hi Stuart,

Thanks for the feedback. The GitHub API's OAuth implementation doesn't support the implicit OAuth flow currently, which would allow you to complete the OAuth flow from a browser:

https://tools.ietf.org/html/rfc6749#section-4.2

Improving our implementation so that this is supported is already on our wishlist, but I can't say if/when it might happen. For now, you should use a server-side component to complete the flow (your own server-side component, not a potentially-insecure third-party component you can't really trust).

Allowing CORS for the endpoint you mentioned would mean that you could complete this step of the Web flow from a browser:

https://developer.github.com/v3/oauth/#github-redirects-back-to-your-site

And this would mean that you're hard-coding your client_id and client_secret into a webpage (or JS file loaded into that webpage) for everyone to see. This would indeed cause security concerns since the client_secret should be kept secret. If someone got hold of your client_id and client_secret, they could impersonate you application, and for example -- wipe all the tokens for that application:

https://developer.github.com/v3/oauth_authorizations/#revoke-all-authorizations-for-an-application

Let me know if you have any other feedback or questions.

Cheers,
Ivan

@stuartpb
Copy link
Author

stuartpb commented Jan 8, 2015

Ivan has a point, and implicit OAuth really would be the correct solution here. The app I'm exposing the client_secret in is a demo, so I don't really care if it can be impersonated or wiped, but in general sending client_secret to the browser is wrong, and I certainly wouldn't do it for any meaningful app.

(I'd been considering it for a browser extension, but I didn't know / hadn't considered that the client_secret can be used to invalidate all tokens, so now I'm definitely going to set up a lightweight token generator server to obscure the secret.)

However, I'm not really a fan of GitHub's "security through not fixing bugs that are situationally mildly discouraging" rationale (as seen here and in #316).

@ericsoco
Copy link

I wasted the better part of a day on this dead end, trying to get the implicit OAuth2 flow to work w/ GitHub's API. I didn't notice the fine print at the top of the docs.

It seems like way too much of a hurdle to have to spin up a server just to connect an application to GitHub. But for future reference, here's a simple one, tailor-made for this problem:
https://github.com/prose/gatekeeper

@wonderbeyond
Copy link

I want to make a pure-javascript in-browser gist client, So CORS support is necessary!

@axetroy
Copy link

axetroy commented Apr 25, 2017

@wonderbeyond
That's great! I am doing something like you.

a serveless website, All data from Github api, so back the point.

CORS support is necessary!

@moodysalem
Copy link

I want to build a password database hosted in a private GitHub repository and I can't build trust because the access code has to be sent to an endpoint I host that trades a access code for a token
pdelta/pdelta.github.io#1

@amaralDaniel
Copy link

Any updates on this?

@mrahman1122
Copy link

Have there been any updates on this issue??

@chulman444
Copy link

The request is successful in the network tab of the chrome dev tool. I can see my access_token in it, however I can't retrieve the access_token in my script because of the error ... blocked by CORS policy: No 'Access-Control-Allow-Origin' header.

Sending the access_token request with axios.post(url_with_oauth_params).

So, is this resolved, or was it like this before?; seeing successful request-response in the network tab, but unable to retrieve it in the script?

@TPS TPS added bug authentication SMS, 2FA, MFA, WebAuthn, passwords, and other related authentication schemes API Requests related to the GitHub developer API labels Feb 28, 2019
@Cobertos
Copy link

Cobertos commented Oct 7, 2019

Running into this today, wanted to make a dashboard for a client to regenerate their stuff with GitHub Actions by hitting a repository_dispatch endpoint without hardcoding credentials but now this doesn't seem possible.

Curious if this is in the backlog or planned for a fix in the future?

EDIT: My fix was to make a separate GitHub account with only access to the single private repository it needed access to for the dashboard and then hardcoded the credentials into the page that's only being accessed by the client.

@determin1st
Copy link

determin1st commented Oct 20, 2019

you can bypass it... run chrome in a separate dir with:

chrome --disable-web-security --user-data-dir="<some_dir_here>"

cors is invented by the braindead corporate zombie.

@Cobertos
Copy link

  1. This is not a valid workaround to ask of people that aren't yourself.
  2. Turning off security features with valid use cases is a terrible way to permanently work around this.

@determin1st
Copy link

determin1st commented Oct 20, 2019

ive spent hours reading github guide to assemble stuff.. sure, i wont ever use github api but for testing purposes and for history of the FAIL it's completely okay. github machine cant fix this issue - ha ha.

@GeekyDeaks
Copy link

I ended up here from another issue. I'm not sure this would work as expected since a CORS policy of Access-Control-Allow-Origin: * should restrict the use of credentials anyway

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

@steplerbox
Copy link

Web application flow header looks confusing when I'm trying to get auth token from my WEB APPLICATION and getting CORS policy error.

@jens-markussen
Copy link

I am also getting into CORS problems while trying to access login/oauth/authorize endpoint from my Javascript application which runs in browser (no server part, all straight to GitHub API).....

Will this be addressed?

@abdurrahmanyildirim
Copy link

Use url like that. It will work. https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token

adessoCucumber pushed a commit to adessoSE/Seed-Test that referenced this issue Sep 23, 2020
sommerfe added a commit to adessoSE/Seed-Test that referenced this issue Oct 5, 2020
@defel
Copy link

defel commented Jul 16, 2021

Use url like that. It will work. https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token

You send your secrets to this endpoint and by this give them access to your private code - dont do this ever.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
API Requests related to the GitHub developer API authentication SMS, 2FA, MFA, WebAuthn, passwords, and other related authentication schemes bug
Projects
None yet
Development

No branches or pull requests