6

I'm building a custom Power BI DataConnector which uses OAuth. I'm following the github example. But this stores client credentials (required for the 'code flow' in OAuth) as plain text files. Is there a secure alternative to this ?

Neeraj
  • 2,376
  • 2
  • 24
  • 41
  • Does the point you're talking about with plain text files apply to the `.mez` file - not just hiding it from your `.gitignore` ? – sgdata Apr 18 '20 at 13:06
  • I was thinking you might be able to at least static code the `client_id` since that's less "essential" and then use the Authentication Method of `Key` to hold the `client_secret` in the user credential? But that depends on you not needing to do a user login at the same time. – sgdata Apr 18 '20 at 13:07
  • Useful link: https://learn.microsoft.com/en-us/power-query/handlingauthentication – sgdata Apr 18 '20 at 13:08
  • 1
    yes, the plain text secret is added it to the `.mez` file, and that bothers me. I even took a look at one of the bundled `mez` files in Power BI desktop and found its client id and secret hard coded as plain text :( – Neeraj Apr 20 '20 at 11:32
  • 1
    Opened as a bug and submitted to MSRC as a vulnerability - upvote for visibility! https://community.powerbi.com/t5/Issues/client-id-and-client-secret-unprotected-in-mez-and-pqx-files/idi-p/1037857 – sgdata Apr 21 '20 at 01:24

1 Answers1

1

Unfortunately due to the current "state of the art" there is no way to securely protect these credentials according to Microsoft staffer Curt Hagenlocher:

There is no way to protect a secret on someone's desktop. That's why some OAuth providers (like AAD) support a "native app" mode where there's a client id but no secret. The most recent development in this space is PKCE, and we're aiming to have sample code for that later this year.

In principle, a secret could be supplied separately for service use -- and I'd like to see us do that some day -- but there's a lot of infrastructure which would need to be created to support that.

I suggested encryption of the module itself and Curt's response was that this too would be ineffective:

All someone needs to do is have Fiddler running and they can see exactly what secret is being sent to the token endpoint.

Full conversation:

https://github.com/microsoft/DataConnectors/issues/298

Community
  • 1
  • 1
sgdata
  • 2,543
  • 1
  • 19
  • 44