Client secrets are an authorization (not authentication) mechanism. Even
the linked website acknowledges them to be insecure, so we can probably
hope they aren't being improperly trusted here. Indeed, this isn't unique
to the HMRC API either. It is an OAUTH thing. A discussion of the security
implications can be found on the OATH2 security RFC:
There may even be some legitimate uses for an insecure "secret" in this
sense. For instance, if the secret is unique to a version of an
application, there will be many in use. Combining it with session keys to
confirm reauthorizations can reduce the attack surface for spoofing type
attacks since the attacker has to guess which version of which software you
are using during your current session.
This isn't to say this implementation is doing it all right. They may, in
fact, be naively assuming client secrets will be secret and giving them
more weight than appropriate. The dangerous assumption here, though, is
that ANY client secret could be secured on ANY installed software.
Proprietary software may be disassembled and the secret extracted. Even if
it is obfuscated, by say chopping it into pieces and reassembling it at
runtime, once the subroutine that does this is found, the secret can be
extracted. Sound like a lot of work? If there are only a few proprietary
applications in use, and there is money involved (there's no money in
taxes, right?) someone will eventually do the work.
The long and the short of it is that this probably isn't an issue at all if
the client secret is being used as intended in OAUTH, but if it is an
issue, it wouldn't just be an issue for open source software. It would be
something that would compromise the API in general.
> On Mon, 17 Apr 2017 20:06:15 +0100
> Mike Evans <[hidden email]> wrote:
> > On Mon, 17 Apr 2017 19:34:36 +0100
> > "Maf. King" <[hidden email]> wrote:
> > > On Monday, 17 April 2017 16:39:02 BST Alain Williams wrote:
> > > > On Mon, Apr 17, 2017 at 04:00:20PM +0100, David Goodenough wrote:
> > > > > Apparently they have effectively locked out open source software
> as there
> > > > > is a per application (i.e. there would be one just for GnuCash)
> > > > > that is used during the OAuth2 login. Keeping that value secret
> is not
> > > > > possible in open source (closed source just hard code it into
> their code)
> > > > > so effectively open source can not be used.
> The authorisation process is described at:
> https://developer.service.hmrc.gov.uk/api-documentation/docs/authorisation >
> I've CC'd this to the devel list.
> Mike E
> gnucash-devel mailing list
> [hidden email] > https://lists.gnucash.org/mailman/listinfo/gnucash-devel >