Chrome extension using client_secret in code

Question

I've developing Google chrome extension with own oAuth authorization. Of course I have to use client_id and client_secret for request token. Is there any way how to hide this data from user? As this request is only part of source code in javascript I have no idea how to prevent this data from reading. Thanks for answers.

Answer 1

Well using OAuth 2.0 for Installed Applications it is describe as:

The Google OAuth 2.0 endpoint supports applications that are installed on a device such as a computer, a cell phone, or a tablet. Installed apps are distributed to individual machines, and it is assumed that these apps cannot keep secrets. These apps might access a Google API while the user is present at the app, or when the app is running in the background.

Note: The client ID and client secret obtained from the Developers Console are embedded in the source code of your application. In this context, the client secret is obviously not treated as a secret.

Base on these description, "there is no established consumer key/secret between the service provider and the application. That is, there is no web application URL for the user to be redirected to after the approval process.In the installed applications OAuth dance, the consumer key/secret are ‘anonymous’/’anonymous’ and you provide an application name for the user to grant access to (instead of an application URL)".

Tutorial link for proper implementation of OAuth.

I hope this helps