I have a Google Drive app that I created, should I be hiding the client secret from users of the app?

Question

I have a Google Drive app I created that helps upload and download files from the command line. It uses a client secret and client id variable to get a refresh token, which I understand to be the user's identification. I am wondering if the secret is something I need to hide from users.

It seems I can get to the auth app page where the user selects their email account without the client secret, but when asking for a refresh token using the verification code, it doesn't go through.

How should I treat my app client secret credential I obtained from https://console.developers.google.com/?

Answer 1

If you read the TOS that you agreed to when you created your client

The Client id and client secret identify your application to google. All requests that come though the auth server with your client id and secret are assumed to be coming from your application. If you give someone else access to that they can then create their own application using your client id and secret and to everyone google, the users it will still appear to be your application. Any spamming will assume to be you and will get your account blocked, any charges against the quota will assume to be you and applied to your billing account.

You may not share your client id and secret This should be kept embedded in your application for only you and your developers to see.

If this cant be done then you will need to instruct your users on how to create their own project on Google Developer console and create their own client id and secret and how to go though the verification process.

Refresh token private user data

Refresh tokens are actually your applications permissions to access a users data, with that and the client id and secrete anyone can create an access token and access private user data. Which again appears in the TOS