Safely storing an application's API keys

Wolthera griffinvalley at gmail.com
Mon Jan 18 15:08:11 GMT 2021


On Mon, Jan 18, 2021 at 3:55 PM Nicolás Alvarez
<nicolas.alvarez at gmail.com> wrote:
>
>
> Protecting an API key on a locally-running application is impossible even for a closed source app. It's equivalent to the impossible task DRM intends to achieve (hiding the content decryption key from the user while decrypting content on their computer). If you give the application to the user, as opposed to running everything in a server, the key *will* be publicly available.
>
> https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016
>
> --
> Nicolas

It's in fact so impossible that oAuth experts are advocating a number
of extra keys (such as proof key for code exchange and application
state) to be given in oAuth flow. Stuff like IndieAuth even does away
with the 'client secret' (an oAuth api key), because it just makes no
sense in projects with public code.

I was looking into this a while back, oAuth wise, neither the o2 qt
library for oAuth supports the proof key (pkce) nor does the oAuth
plugin for SSO (which kaccounts uses), and then I ran out of time to
look into this.

-- 
Wolthera


More information about the kde-devel mailing list