Reputation: 17195
Is it safe to distribute client_id and client_secret for Google API for an installed application?
Similar questions have been asked before (1,2), but not explicitly answered:
Is it safe to store the client id and client secret credentials obtained for an Installed application -> Other for the Google API with the distributed source code of a command line application which will be distributed? Or will it be possible to access user accounts or data without the access_token granted by user consent?
The Google API docs specifies that..:
.. results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)
it is apparent from other documentation that this is not best practice: the client_secret should not even be provided by the service, but it is currently required by the oauth2 and googleapiclient libraries (for Python), and probably by the Google service as well.
The application will use oauth2 based on these official examples.
References, good explanation or documentation that confirms whether this is truly safe or not is much appreciated.
Upvotes: 9
Views: 1757
Answers (2)
Reputation: 5279
TLDR: For desktop app clients, don't enable Google API scopes that may cost you money.
Let's imagine both scenarios:
You use the PKCE flow with no client secret. The attacker uses the PKCE flow with your OAuth client ID to impersonate your app. Whatever scopes you've assigned to that client are available to the attacker. They still need to authenticate with a Google Account.
You use the PKCE flow with a client secret. The attacker uses the PKCE flow with your OAuth client ID and secret to impersonate your app. Whatever scopes you've assigned to that client are available to the attacker. They still need to authenticate with a Google Account.
It's pretty much the same, secret or no secret. The attacker still needs to provide their own Google Account and can only access their own information.
The moral of the story is that an attacker can access whatever Google API scopes you assign to a desktop client, whether you include the client secret or not. If this is a deal breaker, move OAuth out of the desktop app.
Upvotes: 2
Reputation: 1360
Client Id is a publicly visible and it is safe to put it in your website, but it is not safe to put your client secret in js or html code in a website
Upvotes: 1
Related Questions
- Safely distribute OAuth 2.0 client_secret in desktop applications in Python
- client secret in OAuth 2.0
- Exposing oAuth 2.0 client ID and API key for Google API
- Do we need to hide the google oauth client id?
- What does the Google Client Secret in an OAuth2 application give access to?
- Is having the client id and client secret in code a security risk?
- Are there any security concerns with sharing the client secrets of a Google API project?
- Google's OAuth 2.0 for installed apps and Client Secret not being a secret
- Will my client_id/client_secret for OAuth API work for other users?
- Can we share GooglePlus_ClientID and GoogkePlus_simpleAPI_key?