Reputation: 45
What does the Google Client Secret in an OAuth2 application give access to?
I am implementing a login flow which uses the Google Client ID and Google Client Secret. I am considering the security implications of the Google Client Secret and who should be able to have access to it.
Currently the Client secret is stored in an environment variable, but I would like to know what someone with access to this secret could do with it to determine which developers should have access to this environment variable and if I should setup a different OAuth2 application in development vs production.
Upvotes: 3
Views: 2798
Answers (2)
Reputation: 6986
It depends on which type of OAuth application you specified. When creating an OAuth client ID in Google Cloud (and with that, a client secret), you are asked to specify the type of application you are creating:
If you choose Web App, your client secret should really be secret, as its treated as such by Google and is used to authenticate your own server. You should therefore hide it and especially not include it in open sourced code.
However, there is also the option of creating a Desktop app, which means you want to use OAuth without having your own server. For this case the documentation by Google says:
The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)
So in this case it's fine (even required) to include the client secret in your app for your users.
Upvotes: 2
Reputation: 116958
Client id and client secret are similar to a login and password. They give your application the ability to request consent of a user to access their data. If you are storing refresh tokens it would also give the user access to create access tokens from your refresh tokens.
Googles TOS states
Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.
You should not be sharing this with anyone. It should only be used by you and your developers.
Yes Ideally you should have a test and production client ids. Test client id can be used by your developers the only one who should be using your production verified project client ids is your production environment. I would store them in some for for secrete store personally.
Upvotes: 1
Related Questions
- client secret in OAuth 2.0
- What the attacker could do if he obtains application's client_secret?
- What exactly is the client secret for Google OAuth2?
- What is the usage of the client_secrets.json file?
- How and why ot protect client secret in oauth2
- Google's OAuth 2.0 for installed apps and Client Secret not being a secret
- Why isn't the client secret needed for OAuth from Javascript?
- Why Google OAuth2 needs client secret and refresh token to get access token?
- What's the purpose of the client secret in OAuth2?
- Why does Google provide a client secret for a Native application?