0

So according to this article, Using OAuth 2.0 for JavaScript Web Applications, to build a web app that uses OAuth then client ID and API Key are used on the client side, by the browser via javascript.

Yet if my API Key is used by the client it is in the open. You can inspect-elements, look at sources, click around and find the key. Additionally, from what I read, API keys cannot be secured on the client side, b/c they could be found somehow.

Anyways, is it a problem if the client can find my API Key? Restricting the key in GCP seems to be the best I could do.

Crunkmastaflexx
  • 15
  • 1
  • 6

1 Answers1

0

Not really.

It is true that implicit grant flow is less secure than, say, authorization code flow. However, exposing the client ID or the API key in itself does not make your application less secure. This is because a client ID is not enough to access a protected resource (such as your API).

The client ID is used to get an access token Google's IdP. When you get a client ID, you also register a domain/return url. This access token is returned to your application in via url query parameter and is stored in your browser's storage and/or as a cookie. After that, the token is bound your domain in that browser. Furthermore, the token is valid only for a limited time.

Main security risks here are browser history sniffing and cross-site scripting attacks. But the fact that the client ID or API key are exposed is not a big problem.

See this answer for more details.

derisen
  • 630
  • 3
  • 13