include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

include::../common/impact/rationale.adoc[]

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

include::../../../shared_content/secrets/impact/security_downgrade.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/recent_use.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

include::../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from requests_oauthlib.oauth2_session import OAuth2Session

scope = ['https://www.api.example.com/auth/example.data']

oauth = OAuth2Session(
    'example_client_id',
    redirect_uri='https://callback.example.com/uri',
    scope=scope)

token = oauth.fetch_token(
        'https://api.example.com/o/oauth2/token',
        client_secret='example_Password') # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from os import environ
from requests_oauthlib.oauth2_session import OAuth2Session

scope = ['https://www.api.example.com/auth/example.data']

oauth = OAuth2Session(
    'example_client_id',
    redirect_uri='https://callback.example.com/uri',
    scope=scope)

password = environ.get('OAUTH_SECRET')

token = oauth.fetch_token(
        'https://api.example.com/o/oauth2/token',
        client_secret=password)
----

include::../common/fix/how-it-works.adoc[]

== Resources

include::../common/resources/documentation.adoc[]

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Revoke and change this password, as it is compromised.

=== Highlighting

Highlight the credential use and its initialization.

'''
endif::env-github,rspecator-view[]