Fully open source

May 26, 2024 1:29 PM

Offline

Dec 2019

Is it possible to make authorization if all the source code is open without the possibility of hiding. I just want to make an extension to synchronize manga reading.

There are three ways:

The user creates the сlient himself and enters the data himself, which lowers the entry threshold for use.
I am using my own third-party site, which may reduce user security.
I include a Client ID in the source code that allows for potential illegal uses of my application.

May 26, 2024 3:04 PM

ZeroCrystal

四十二

Offline

Mar 2016

488

@HellCatNya: Hi! It is important to distinguish between two types of clients: confidential clients can maintain the confidentiality of their credentials (e.g., Client Secret), while public clients are incapable of secure client authentication. You can read more about this here:

2.1.  Client Types

   OAuth defines two client types, based on their ability to
   authenticate securely with the authorization server (i.e., ability to
   maintain the confidentiality of their client credentials):

   confidential
      Clients capable of maintaining the confidentiality of their
      credentials (e.g., client implemented on a secure server with
      restricted access to the client credentials), or capable of secure
      client authentication using other means.

   public
      Clients incapable of maintaining the confidentiality of their
      credentials (e.g., clients executing on the device used by the
      resource owner, such as an installed native application or a web
      browser-based application), and incapable of secure client
      authentication via any other means.

[...]

user-agent-based application
      A user-agent-based application is a public client in which the
      client code is downloaded from a web server and executes within a
      user-agent (e.g., web browser) on the device used by the resource
      owner.  Protocol data and credentials are easily accessible (and
      often visible) to the resource owner.  Since such applications
      reside within the user-agent, they can make seamless use of the
      user-agent capabilities when requesting authorization.

When you create a new API application on MAL, you're asked for an App Type. Web corresponds to a confidential client, while Android, iOS, and Other are all aliases for a public client.

Confidential clients will receive a Client ID and a Client Secret. Public clients will only receive a Client ID.

If you're developing a browser extension, it must be considered a public client and you should choose Other as the App Type.

The Client ID is not confidential and should not be treated as a secret. It can easily be extracted from any application, including MAL's official mobile app. It can be distributed together with your application. The owner of a public client is not responsible for the (mis)use of the Client ID, it's the authorization server that must enforce proper security policies.

★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu

See All Discussions

» I built a spotify-styled 'MyAnimeList Wrapped' for a yearly review of your anime and manga XAvishkar - Dec 14	1	by Joeliazeers »» Dec 17, 1:01 PM
» [Repost] list of all relation_type and media_type. Mr_UnknownOtaku - Dec 8	4	by -DxP- »» Dec 12, 8:43 AM
» How to get author name? EdibleMuffin - Feb 12	4	by XAvishkar »» Dec 8, 9:52 AM
» 401 Unauthorized when doing authorization flow Konng_ - Nov 16	2	by Konng_ »» Nov 28, 3:24 PM
» [discontinued] I made a webapp to compare plan-to-watch lists daux - Apr 16, 2022	33	by daux »» Oct 2, 4:17 PM

Fully open source

More topics from this board

» I built a spotify-styled 'MyAnimeList Wrapped' for a yearly review of your anime and manga

» [Repost] list of all relation_type and media_type.

» How to get author name?

» 401 Unauthorized when doing authorization flow

» [discontinued] I made a webapp to compare plan-to-watch lists

MoreTop Anime

MoreTop Airing Anime

MoreMost Popular Characters