1

I'm writing a command-line tool in python to post/edit/delete Blogger posts. Since the authentication uses OAuth2 I've requested an API credentials on Google API. It comes in the form of a client_id.json file.

{
  "installed": {
    "client_id": "<removed>",
    "project_id": "<removed>",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://www.googleapis.com/oauth2/v3/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_secret": "<removed>",
    "redirect_uris": [
      "urn:ietf:wg:oauth:2.0:oob",
      "http://localhost"
    ]
  }
}

I plan to make the app open source.

  • If someone has the file, does that mean he can access everyone who allowed the app to manage their blog?
  • Are separate users expected to generate their own API key?
knarf
  • 2,672
  • 3
  • 26
  • 31
  • If someone has your client_secret file, then they can do whatever they want with the scopes & APIs you've given to the associated Google Cloud Project. They aren't restricted to pairing it with your written app. And everything they do? Google thinks you're doing it. – tehhowch Aug 17 '18 at 14:06

1 Answers1

1

No you cant and here is why.

I plan to make the app open source.

  1. If someone has the file, does that mean he can access everyone who allowed the app to manage their blog?

Yes if someone has your credentials file they can do what ever they want. Using your account and posibly spaming your developer account causing you to loose access to your account see Can I really not ship open source with Client ID?

  1. Are separate users expected to generate their own API key?

No anyone who downloads your open source project and wants to use it will be required to make their own credentials file on google developer console. as per TOS you are not allowed to share your credentials file with another user.

Community
  • 1
  • 1
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Somehow MS Word can publish to Blogger. I don't have access to it to test unfortunately but I'm guessing they found another way to authenticate? – knarf Aug 20 '18 at 10:39
  • MS Word is an installed application and their credentials are probably built within the executable or they are sending it to the application from a background process. OAuth2 is the only way to authenticate to blogger. You can not release your credentials in an open source project your going to have to instruct users in how to creative their own. – Linda Lawton - DaImTo Aug 20 '18 at 10:51
  • This seems very unlikely: the key could be found by reverse engineering relatively easily. But "installed app" put me in the right direction: https://developers.google.com/api-client-library/python/auth/installed-app#overview It seems there is an alternative if you don't want to publish secrets – knarf Aug 21 '18 at 08:32