Client secrets are an authorization (not authentication) mechanism. Even the linked website acknowledges them to be insecure, so we can probably hope they aren't being improperly trusted here. Indeed, this isn't unique to the HMRC API either. It is an OAUTH thing. A discussion of the security implications can be found on the OATH2 security RFC:
https://tools.ietf.org/html/rfc6819 There may even be some legitimate uses for an insecure "secret" in this sense. For instance, if the secret is unique to a version of an application, there will be many in use. Combining it with session keys to confirm reauthorizations can reduce the attack surface for spoofing type attacks since the attacker has to guess which version of which software you are using during your current session. This isn't to say this implementation is doing it all right. They may, in fact, be naively assuming client secrets will be secret and giving them more weight than appropriate. The dangerous assumption here, though, is that ANY client secret could be secured on ANY installed software. Proprietary software may be disassembled and the secret extracted. Even if it is obfuscated, by say chopping it into pieces and reassembling it at runtime, once the subroutine that does this is found, the secret can be extracted. Sound like a lot of work? If there are only a few proprietary applications in use, and there is money involved (there's no money in taxes, right?) someone will eventually do the work. The long and the short of it is that this probably isn't an issue at all if the client secret is being used as intended in OAUTH, but if it is an issue, it wouldn't just be an issue for open source software. It would be something that would compromise the API in general. On May 1, 2017 06:05, "Mike Evans" <[email protected]> wrote: > On Mon, 17 Apr 2017 20:06:15 +0100 > Mike Evans <[email protected]> wrote: > > > On Mon, 17 Apr 2017 19:34:36 +0100 > > "Maf. King" <[email protected]> wrote: > > > > > On Monday, 17 April 2017 16:39:02 BST Alain Williams wrote: > > > > On Mon, Apr 17, 2017 at 04:00:20PM +0100, David Goodenough wrote: > > > > > Apparently they have effectively locked out open source software > as there > > > > > is a per application (i.e. there would be one just for GnuCash) > "secret" > > > > > that is used during the OAuth2 login. Keeping that value secret > is not > > > > > possible in open source (closed source just hard code it into > their code) > > > > > so effectively open source can not be used. > > The authorisation process is described at: > https://developer.service.hmrc.gov.uk/api-documentation/docs/authorisation > > > I've CC'd this to the devel list. > > Mike E > > _______________________________________________ > gnucash-devel mailing list > [email protected] > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > _______________________________________________ gnucash-devel mailing list [email protected] https://lists.gnucash.org/mailman/listinfo/gnucash-devel
