8

I'm a python beginner, and I want to make a basic google tasks client. It'll be a native app. The point I cant get is how to keep the 'client secret' actually secret, as it's to be included in the program code.

I've searched and found a post, quoting a google forums post, and basically suggesting to give the thing away.

I have spent hours trying to get the thing, but, I have no answer at the moment. So, I have two questions to ask:

  1. What are the consequences of giving the client secret away?
  2. If letting people see the secret is dangerous, is there a way to keep it secret, or, is there a way to do a classic login to support application specific passwords to log into the google account?
j0k
  • 22,600
  • 28
  • 79
  • 90

1 Answers1

4

I assume you're talking about OAuth.

Yes, you embed the secret - but no, it's not really a secret; see another post here: OAuth - embedding client secret in your application?.

Google's docs actually say the same thing; from : https://developers.google.com/accounts/docs/OAuth2#installed

The client_id and client_secret obtained during registration are embedded in the source code of your application. In this context, the client_secret is obviously not treated as a secret.

And there's no point in trying to protect it - it has to make it's way over the wire to get to Google, and anyone with Fiddler, etc. could watch it in plain text.

As to impact: the idea behind the client secret, I believe, is to protect the client vendor (that's you). Theoretically, if I know your client key and secret, I could make a malicious website/client that lets users log in legitimately but then deletes all their tasks and it would look like you were responsible. That probably makes sense to defend against with web services, but for an installed client, the user presumably downloaded it from somewhere (app store, website, etc) that hopefully made sure it was legitimate.

Community
  • 1
  • 1
ckhan
  • 4,771
  • 24
  • 26
  • Thanks a lot for your answer, I really needed something clear, like your answer. So, can I do a simple login form to grant access? Or should I get into Oauth2 world, which looks, frankly, hard?... –  Aug 29 '12 at 16:04
  • 1
    Do OAuth2 for sure. It's not as daunting as it looks, and it's actually *less* work than providing a login form (in OAuth, Google provides the form). You don't want users to be typing their real password into your app, for their sake and yours (you'd never use something that did that, right?!) Good luck! – ckhan Aug 29 '12 at 16:50
  • Thanks for your answers @ckhan, you have been very helpfull. –  Aug 29 '12 at 18:33