I'm developing an application that will use social login in order to post messages on Facebook, Twitter, etc., and I read a lot of threads that say that OAuth keys should be kept on the server side for security reasons.
I know it may sound like a stupid question, but why is that so? If I created a Facebook application that is only allowed to manage logins and messages posts, the worst thing that could happen is that some bad guy gets the keys that are stored in the front-end and use them to login and post a message, but nothing else, so he cannot do any damage...
Obviously I'm still trying to undestand how the whole process works, so I'm not an expert yet.
For completeness' sake the whole program is going to be an Electron desktop application, and I'm trying to reduce costs by not having a server that does the work of publishing message, not even having a serverless back-end on AWS.
Thank you in advance for your answers!
Try thinking about it in terms of trust of neighbors.
You have a key to your neighbor named Lenny who lives in the house to your left and another neighbor Rhonda who lives your right. You have known Rhonda for several years and she trusts you to keep a copy of her key incase she gets locked out or loses her key.
Lenny is pretty new but you've had drinks with him once and he seems like a reasonable person. What you don't know is that Lenny moved here from a small town and he doesn't keep his doors locked.
You are leaving for the weekend and ask Lenny to come over and give your cat Snuggles some milk. Lenny brings your key along to your house but he didn't know that Brad the Bad Guy who lives across the street was watching him and had seen you leave earlier.
Now Lenny leaves for work and doesn't lock his house. Normally this isn't a problem because Lenny lives a pretty simple solitary life with few possessions but Brad knows he has your key. Brad steals your key, goes and steals your brand new TV, while in your house he finds Rhonda's key (which he also steals) and goes and steals her TV. He puts both keys back where he found them and returns home with two TVs. Now Lenny comes home and when he comes to water your plants he is dumfounded to find the TV gone and the house locked. He calls the police who immediately suspect Lenny because, well, he had the key.
Don't be Lenny, lock your house (api keys) even if you're a good and trusting person.
Edit: To the question of what could go wrong with an electron app. Imagine I lose my Twitter API keys. Now Brad goes and makes a knockoff app. It is very similar to mine and as described above his app is indistinguishable from mine from Twitter's perspective. Perhaps the API key has more than just post permissions, it has delete permissions too. Now Brads knockoff app gets to delete people's twitter accounts and post malware or other things. Brad is the one doing this but Twitter comes to me and accuses me of running a spam bot. They preventatively disable my API key and now all of my legit customers are super angry and question how secure other areas of my app are. My reputation suffers and people say my app is "infected" because the tweets show up as posted by my app and not Brads app. If Twitter determines you can't keep your keys safe they may stop issuing you new keys.