Add RFC: libobs keychain APIs #54
Conversation
|
In implemeting this in obsproject/obs-studio#9122 I was wondering if perhaps there is a need for something like |
|
Updated with |
| - Linux: `libsecret` | ||
|
|
||
| The `label` is a user-visible component that may be displayed in keychain management applications as the label or name of an entry. It must be specified, ASCII only, and must be human-readable. | ||
| In most cases it should identify the component and contents, e.g. for OAuth credentials stored by the OBS Studio UI this could be "OBS Studio OAuth Credentials". |
There was a problem hiding this comment.
For better discoverability (and transparency) I'd prefer if any keychain item is automatically prefixed with "OBS Studio" followed by the label chosen by any given implementation.
This would reduce the need for implementors to be "good citizens" and prefixing their labels themselves.
There was a problem hiding this comment.
I agree, though that gets into the libobs vs OBS Studio discussion. While I personally think that this distinction doesn't matter in any practical sense, others have disagreed. Perhaps this could be solved by setting a prefix to use on libobs initialisation or something.
There was a problem hiding this comment.
Right, that would require an API function that allows the frontend to set the prefix.
Is this functionality serving a need of libobs or of our UI? Because if it's the latter, code would only be implemented in the UI and as such the implementation can use the default "OBS Studio" prefix, because it's not a libobs functionality.
There was a problem hiding this comment.
With the goal of migrating service integrations into plugins, I believed it would make the most sense to have this functionality within libobs rather than the frontend. Implementing it within the frontend API may also be possible, I'm not sure if there are any plugins that store credentials (e.g. websockets, cloud captions) that don't also link against the frontend.
There was a problem hiding this comment.
Yeah that makes sense then.
I wouldn't mind if the prefix ends up being libobs, though a "product name" would be common as a prefix and probably also more recognisable to users.
Summary
Proposes a libobs platform API for keychain access which can be used to securely store credentials.
Motivation and Context
While the credentials stored by OBS in profiles are not of severe sensitivity due to limited scope, as a modern desktop application we should still do our best to store them securely.
Link to RFC