Reputation: 41
Where/How to store or generate the Client Secrets?
I am using C# .NET with the YouTubeAPI-Nuget Package.
The project is a Desktop application (Avalonia) and I need access to the YouTube channel of the User (to change for example Video Titles).
I don't understand how or where I need to store the client secrets or if I can generate them or how I am going to distribute the program without users having access to my client secrets.
Does every user who wants to use my program need an own client secrets file? If so, how do I autogenerate that? (because I don't want to manually generate client secrets for every user who wants to use it)
And if they only need the one client secrets, then how do I distribute that without putting the file in plain text into the installation folder?
I really don't know and can't find anything on how this should work.
Upvotes: 0
Views: 2538
Answers (3)
Reputation: 41
Okay the above answers are my answers but I want to share (with code) how exactly I am going to do what they said.
My CI is going to get my client id and secret and as secrets (I am using Github Actions).
I create string constants in code:
private const string ClientId = "CLIENT_ID";
private const string ClientSecret = "CLIENT_SECRET";
- Let the CI change these lines of code to the actual Client id and secret
private const string ClientId = "ACTUAL_CLIENT_ID";
private const string ClientSecret = "ACTUAL_CLIENT_SECRET";
- Let the CI confuscate the resulting dll after
dotnet publishso that it is harder to decompile this. (I am trying to get ConfuserEx to work)
Upvotes: 0
Reputation: 629
BUT...hash or encrypt the string in your code since opening the executable in Notepad can expose the string in clear text. Best if you obfuscate with string encryption...
Upvotes: 2
Reputation: 117216
I don't understand how or where I need to store the client secrets or if I can generate them or how I am going to distribute the program without users having access to my client secrets.
As you have a desktop application, when you compile it ensure that it is compiled as part of the application do not send for example clientsecret.json as a file along with your application, like a dll. It should be compiled into your application and distributed that way. If you want to go even more OTT you could store it on and endpoint on your server and have your desktop app fetch it whenever it runs or when its installed and store the data locally.
Does every user who wants to use my program need an own client secrets file? If so, how do I autogenerate that? (because I don't want to manually generate client secrets for every user who wants to use it)
No your application should have a single client id and client secrete pair which would be used by all of your users.
And if they only need the one client secrets, then how do I distribute that without putting the file in plain text into the installation folder?
I haven't seen your code but all you should really need is the client id and the client secret themselves stored as constants in your application somewhere. You dont actually need the file itself.
Upvotes: 1
Related Questions
- How to protect client credentials in a desktop app?
- Are there any security concerns with sharing the client secrets of a Google API project?
- Where to download your_client_secret_File.json file
- How can I find Client Secret for Google API?
- Get Client Id and Client secret of the file client_secrets.json of Youtube API
- How to configure a Website that auth's for YouTube credentials to be used by console application?
- YouTube upload API - Get Auth tokens for offline
- YouTube data API - Handling Client Secrets
- How to obtain Client Secret in Youtube API for iOS client?
- YouTube and OAuth 2.0 in .Net