Reputation: 17679
Why does Google provide a client secret for a Native application?
I'm writing a native application that works against a Google API. Upon registering my application, and despite its explicit designation as Native, the Google Developers Console provides me with a client secret.
As far as I understand the OAuth 2.0 protocol, native apps should never have a client secret, since they cannot guarantee its secrecy. Is Google mistaken in its implementation of OAuth 2.0? How should I proceed?
Upvotes: 6
Views: 1446
Answers (1)
Reputation: 2457
You are correct, the client secret isn't terribly useful in a native application from a being kept secret perspective. I suspect it's there mainly for consistency with the web application flow.
It does however have at least 1 useful feature... the original developer can reset it at any time, effectively revoking all refresh tokens bound to that client ID.
Upvotes: 5
Related Questions
- Why Google native oauth2 flow require client secret?
- client secret in OAuth 2.0
- What does the Google Client Secret in an OAuth2 application give access to?
- What the attacker could do if he obtains application's client_secret?
- What exactly is the client secret for Google OAuth2?
- How and why ot protect client secret in oauth2
- Google's OAuth 2.0 for installed apps and Client Secret not being a secret
- Why isn't the client secret needed for OAuth from Javascript?
- Why Google OAuth2 needs client secret and refresh token to get access token?
- What's the purpose of the client secret in OAuth2?