hobby/personal use of python-sdk on open-source project
I'm the creator of an open-source project that uses the python box-sdk. The application uses the traditional oauth2 dance (sure, jwt would also work). However, this project is intended to be installed on the user's machine, essentially daemonized.
The user may be a bit on the tech savvy side (as the project is built around Linux), but right now the setup is not simple.
Because of the open-source nature (and it is python, so the code is human-readable), I can't simply store the oauth2 credentials from my box developer application in the app. Anyone who is nefarious could simply do bad things with it.
I have a potential user who I've been working with trying to get the project setup on their computer. We have realized how unrealistic it is for non-devs (and even then) to get it running.
So, I could be misunderstanding the dev docs, but on the case that I'm not, is there another way that I can distribute my application such that it can run and work, without me putting sensitive credentials in it?
UPDATE:
Looks like there is a new section to the python SDK README about RemoteOAuth2. I'll update if I find that this works for me. Unfortunately, it seems I'll have to have some server setup that does the oauth2 crdes dance...but I suppose that isn't so bad.
-
Thanks for the reply.
I'm not sure that is the correct solution. As I said, the software will get installed on the client's machine, so they would have access to all of the credentials, if they so wanted. It's a non-zero risk that is easy to exploit if they care to.
If you do think I could, could you explain in more detail how I would, given these concerns?
I could submit a version of the app (a slimmed down version that respects the RemoteOAuth2 python class) to the marketplace, yes, but there is definitely still some setup that has to take place that I'm still working out.
Please sign in to leave a comment.
Comments
2 comments