Safety of OAuth client secret in .gitconfig

[eboskma]

I was wondering, how safe is it to store the OAuth client secret (and perhaps also the client ID) in plain text in .gitconfig? It seems like a bit of a security issue (it is called 'secret' for a reason), especially since I keep my dotfiles in a public git repository.

Maybe I'm overthinking it, but I like to err on the side of caution in cases like this.

[hickford]

It's harmless but confusing. There are two kinds of OAuth client, public clients and confidential clients. It's expected the "secrets" of public clients such as native apps are non-confidential https://datatracker.ietf.org/doc/html/rfc8252#section-8.5

Secrets that are statically included as part of an app distributed to multiple users should not be treated as confidential secrets, as one user may inspect their copy and learn the shared secret.

For this reason, enlightened servers allow public clients to authenticate with just client id, omitting the secret:

it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret, as this serves little value beyond client identification which is already provided by the "client_id" request parameter.

You can omit client secret when authenticating to GitLab or Gitea hickford/git-credential-oauth#17

[eboskma]

Ah, right, that makes sense. Thanks for clearing that up!