Timeline for Does it make sense to create a whole new API interface to just handle the web secret key?
Current License: CC BY-SA 3.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 16, 2020 at 10:01 | history | edited | CommunityBot | Commonmark migration | |
| Apr 29, 2018 at 7:10 | vote | accept | Alireza | ||
| Apr 28, 2018 at 20:18 | comment | added | Sentinel | Isn't your question actually "how do I make my public api private to me or my partners?" | |
| Apr 28, 2018 at 20:08 | answer | added | Sentinel | timeline score: 0 | |
| Apr 27, 2018 at 14:43 | answer | added | joakim | timeline score: 2 | |
| Dec 7, 2017 at 19:24 | comment | added | Alireza | @Ewan, What I'm trying to do is to prevent users to get the secret and send their requests to API Gateway in place of our React Web Application. The application is a social networking application that in the future will expose its REST API to third parties through client id and secret (paid plan). But if they already have access to secret key, then exposing API to 3rd parties means useless, as they can do whatever they want with the API Gateway. | |
| Dec 7, 2017 at 17:02 | comment | added | Ewan | this question comes up a lot. in theory its impossible. but maybe if you add more detail on what your specific app is and what you are trying to prevent...? | |
| Dec 7, 2017 at 16:26 | comment | added | Alireza | @Becuzz, well the only grant that can be used to get access token without client secret is the flow of Authorization Code Grant which does not make sense when the application is owned by myself. I cannot redirect user to another page and then ask for permission grant! | |
| Dec 7, 2017 at 16:11 | comment | added | Becuzz | I think you're misunderstanding some things here. Things like single page javascript apps (or other things where you can't guarantee being able to keep the client secret) typically don't use the secret at all. If you had made this secret keeper thing, what would prevent the "WILD internet" from just calling that instead? This link might be useful in helping with the OAuth2 flow, especailly without the secret. | |
| Dec 7, 2017 at 15:19 | history | asked | Alireza | CC BY-SA 3.0 |