I'm building a custom Power BI DataConnector which uses OAuth. I'm following the github example. But this stores client credentials (required for the 'code flow' in OAuth) as plain text files. Is there a secure alternative to this ?
How to store credentials in Power BI DataConnector?
Asked Answered
Unfortunately due to the current "state of the art" there is no way to securely protect these credentials according to Microsoft staffer Curt Hagenlocher:
There is no way to protect a secret on someone's desktop. That's why some OAuth providers (like AAD) support a "native app" mode where there's a client id but no secret. The most recent development in this space is PKCE, and we're aiming to have sample code for that later this year.
In principle, a secret could be supplied separately for service use -- and I'd like to see us do that some day -- but there's a lot of infrastructure which would need to be created to support that.
I suggested encryption of the module itself and Curt's response was that this too would be ineffective:
All someone needs to do is have Fiddler running and they can see exactly what secret is being sent to the token endpoint.
Full conversation:
© 2022 - 2024 — McMap. All rights reserved.
.mezfile - not just hiding it from your.gitignore? – Apathyclient_idsince that's less "essential" and then use the Authentication Method ofKeyto hold theclient_secretin the user credential? But that depends on you not needing to do a user login at the same time. – Apathy.mezfile, and that bothers me. I even took a look at one of the bundledmezfiles in Power BI desktop and found its client id and secret hard coded as plain text :( – Anosmia