7

Similar questions have been asked before (1,2), but not explicitly answered:

Is it safe to store the client id and client secret credentials obtained for an Installed application -> Other for the Google API with the distributed source code of a command line application which will be distributed? Or will it be possible to access user accounts or data without the access_token granted by user consent?

The Google API docs specifies that..:

.. results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)

it is apparent from other documentation that this is not best practice: the client_secret should not even be provided by the service, but it is currently required by the oauth2 and googleapiclient libraries (for Python), and probably by the Google service as well.

The application will use oauth2 based on these official examples.

References, good explanation or documentation that confirms whether this is truly safe or not is much appreciated.

Community
  • 1
  • 1
gauteh
  • 16,435
  • 4
  • 30
  • 34
  • What kind of application do you develop (server-side, mobile, single page web application) and what OAuth2 flow do you want to use? – Ján Halaša Apr 05 '17 at 11:50
  • @JánHalaša: It says in the question, a command line application (which will be distributed), using oauth2 in this way: https://developers.google.com/api-client-library/python/auth/installed-app – gauteh Apr 05 '17 at 15:15
  • actually, here: https://developers.google.com/gmail/api/quickstart/python – gauteh Apr 05 '17 at 15:20

1 Answers1

2

Client Id is a publicly visible and it is safe to put it in your website, but it is not safe to put your client secret in js or html code in a website

rbansal
  • 1,184
  • 14
  • 21