SDK Secret Protection

This is a pretty serious security issue that was semi-addressed in this post

The problem is that the native sdk’s require the sdk secret to be exposed to the client as a function argument. The two solutions that was offered by the staff in the post will still result in the client to receive the sdk secret at some point of the process, which is still insecure at the end of the day.

The last sentence in the post written by the staff was

“you might need to implement this OAuth process on your side”

I fail to understand how this is possible since the native sdk requires the sdk secret as a function argument. No amount of OAuth that we implement can get around this fact.

If someone could enlighten me on this topic I would greatly appreciate it.

Hi @rockespecialee, JWT support for SDK initialization was added since the original post you’ve linked, have you looked into that functionality? With JWT initialization, you can store your sensitive keys in a backend server and generate the JWT token on the backend for the client so the SDK client does not need to be aware of the secret key.

Hi @nraj,

Can you please describe how to generate the JWT token on the backend?

I am unclear on how to securely hide API secret and key using this method.

Thank you

Hi @franktc,

Using a webserver you can implement an API endpoint for generating the JWT token. So the SDK client makes an HTTP request for a JWT token to your server, the server then generates the JWT using the SDK secret key and returns it to the client as part of the HTTP response. That way, the client is never aware of the SDK secret key since the webserver manages the keys.

Hi @nraj,

Thank you for the information!

I am new to the process of generating the JWT Token with an API endpoint. Is this post showing the workflow you’re describing?

If not, do you know of any examples I can reference to implement this method?

I am using basic javascript and HTML, using the example CDN as a base. I am hosting through GoDaddy. Thank you.

Yes, I have implement the jwt on a web app but was under the impression the macos sdk did not accept jwt. Upon further inspection the file ZMSDKAuthHelper.m does include functionality involving the jwt, I am assuming this is what we need to use jwt with the sdk.

There is another insecure point in this file in the function loginWithEmail() where the password is passed in as a raw string. I am assuming this is for obtaining the OAuth token?