Reputation: 2807
Why isn't the client secret needed for OAuth from Javascript?
Good news is that I followed the official tutorial on accessing Google Drive REST API over Javascript and it worked. However, client_id but not client_secret is used in the code.
/**
* Check if current user has authorized this application.
*/
function checkAuth() {
gapi.auth.authorize(
{
'client_id': CLIENT_ID,
'scope': SCOPES.join(' '),
'immediate': true
}, handleAuthResult);
}
While registering the app, I have been given a client_secret which has never been used. Should't client_secret be sent out in the auth_token request as explained here and here?
As mentioned in a comment below, I perfectly understand that client_id is public as opposed to client_secret. What surprises me is, how Google's OAuth 2.0 works in spite of not using client_secret to obtain auth_token. Isn't that mandated by OAuth 2.0 specification? What is preventing a malicious app to impersonate a legitimate one?
I can set localhost:8000 as my Javascript origin.
Upvotes: 3
Views: 2793
Answers (1)
Reputation: 116968
Both client id and client secret are used to identify your application. Client id is public information and is ok to show to users. While secret must be kept secret or anyone could potently use your application credentials.
JavaScript is client side so if you view source on the page you can see the client id. If your code also included the secret then they would see that as well and be able to use it.
I suspect that this is the reason we need to use JavaScript orign it adds an extra layer of security instead of using the secret in JavaScript applications.
The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. The client identifier is unique to the authorization server.
English: Google developer console registers the application (client) creating a unique string to identifying that client (project). The client id is not a secrete and should be shown to the owner of the data.
4.1. Authorization Code Grant Client secrete is not a required part of the authorization code exchange as far as I can see.
Upvotes: 1
Related Questions
- client secret in OAuth 2.0
- What does the Google Client Secret in an OAuth2 application give access to?
- Is having the client id and client secret in code a security risk?
- Why google Oauth verifyIdToken (javascript nodejs version) doesn't use client-secret?
- Why do we need clientID and clientSecret
- How and why ot protect client secret in oauth2
- Why Google OAuth2 needs client secret and refresh token to get access token?
- How does hello.js avoid storing the client_secret?
- Why does the Google API for PHP requires a Client Secret while the one for Javascript does not?
- Why does Google provide a client secret for a Native application?