> we currently use a client secret We do that for all OAuth2 providers. But we can tell the provider that this client will be public and that they shouldn't trust it. That's what this bug is about: We're telling Microsoft that the secret is confidental and remains on our servers only. We should be telling Microsoft that this secret is part of an application that ships to end users. They have a specific flag for that. This bug is about setting that flag. That's all. > I don't have any visibility into the current configuration, unfortunately. Yes, whoever wants to fix this needs access to the Microsoft account (i.e. password to that account) that we used to create the client ID, and change the configuation of that client ID.
Bug 1685414 Comment 15 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> we currently use a client secret We do that for all OAuth2 providers. But we can tell the provider that this client will be public and that they shouldn't trust it. That's what this bug is about: We're telling Microsoft that the secret is confidental and remains on our servers only. We should be telling Microsoft that this secret is part of an application that ships to end users. They have a specific flag for that. This bug is about setting that flag. That's all. > I don't have any visibility into the current configuration, unfortunately. Yes, whoever wants to fix this bug needs access to the Microsoft account (i.e. needs to know the password to that account) which we used to create the client ID, and change the configuation of that client ID.
> we currently use a client secret We do that for all OAuth2 providers. But we can tell the provider that this client will be public and that they shouldn't trust it. That's what this bug is about: We're currently incorrectly telling Microsoft that the secret is confidental and remains on our servers only. We should be telling Microsoft that this secret is part of an application that ships to end users. They have a specific flag for that. This bug is about setting that flag. That's all. > I don't have any visibility into the current configuration, unfortunately. Yes, whoever wants to fix this bug needs access to the Microsoft account (i.e. needs to know the password to that account) which we used to create the client ID, and change the configuation of that client ID.