Skip to content

extend an existing token with refresh token grant: plain text in the source code? not! #600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
srt10coupe opened this issue Jan 19, 2025 · 4 comments
Closed

extend an existing token with refresh token grant: plain text in the source code? not! #600

srt10coupe opened this issue Jan 19, 2025 · 4 comments
Labels
question

Comments

@srt10coupe
Copy link

I can't write my clientID and clientSecret in plain text in my source code.

Saving user name and password in the keychain also makes no sense.

How can I retrieve the ClientID and ClientSecret from the server and save them in the keychain?

iOS / MacOS / Swift / SwiftUI
@chriskapp
Copy link
Member

Hi @srt10coupe I'am not sure about your concrete use case but in in general I would recommend to either provide the clientId and clientSecret through an environment variable or that the user always needs to enter the credentials on start of the app. I would then store the obtained access token so that the user only needs to enter the credentials, in case no valid access token is available. You can also configure the lifetime of the access token at the Fusio config, by default it is 2 days s.
https://github.com/apioo/fusio/blob/master/configuration.php#L10

@srt10coupe
Copy link
Author

srt10coupe commented Jan 19, 2025
edited
Loading

Hi @chriskapp, that's what I did too.

The user must log in. After 2 days the access token has expired. I have a refresh_token variable in it, but without client_id and client_secret the new access token is not retrieved.

I do not want the user to have to log in again and again, the access token should renew itself.

Now I have written my client_id and client_secret plain text in the source code of the app to debug, which I don't want to do in the release...

Is there a way to retrieve the client_id and client_secret via an API or so?

Or how else do I get the client_id client_secret in my app?

Or how else can I retrieve the new access token

'fusio_expire_token' => 'P90D', 'fusio_expire_refresh' => 'P3D', 'fusio_expire_app' => 'P90D', 'fusio_expire_consumer' => 'P90D',

These are my configurations, but all my tokens have only 2 days

@srt10coupe
Copy link
Author

Hi,I found the following https://url.com/`public/consumer/app`
"totalResults": 1, "startIndex": 0, "itemsPerPage": 16, "entry": [ { "id": 6, "userId": 3, "status": 1, "name": "NameOfTheApp", "appKey": "XXXXXXXXXXXXXXXXXXXXX", "date": "2025-01-08T15:21:24Z" } ]

Why is only the appKey provided and not the appSecret? Because that would solve my problem.

@chriskapp
Copy link
Member

@srt10coupe you can get the secret by requesting the detail endpoint s. /consumer/app/6 which returns also the secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srt10coupe @chriskapp