0

I'm working on an open source C# application that needs access to YouTube accounts. I've been looking at https://developers-dot-devsite-v2-prod.appspot.com/youtube/v3/code_samples/dotnet#retrieve_my_uploads, but am confused by the part where the code refers to client_secrets.json. Where am I supposed to get that? I've seen the API documentation where you should avoid disclosing the secrets. So I can't put them into my code.

Unfortunately, my project has no money whatsoever for a server. So I can't hide them there. But even if I could, wouldn't my code just tell everyone how to get the secrets off my server?

Will Pittenger
  • 53
  • 4

1 Answers1

1

client_secrets.json. Where am I supposed to get that?

You can use your developer console's credentials tab. Client IDs will be listed there (if generated already) or create a new one as shown below. You can then download it (client_secrets.json file). enter image description here

I've seen the API documentation where you should avoid disclosing the secrets

You must not expose sensitive information as it posses high security risk. As it is not clear on how you are aiming to implement it, generally, you cannot protect your secrets if you embedded it into your application. If compromised, attacker can impersonate your client.

OAuth outline various authorization flows that can be adopted to suit your need. For example, your questions suggest that you are using OAuth code flow and this is where client secrets comes into picture. However, there are other flows, one of them is OAuth Implicit flow which doesn't require you to supply client credential. In the Implicit flow, there is no client secret and once a user authenticate with OAuth2 provider, the client will receive the access token to proceed with. You can read more about Implicit Flow the original spec.

I think, you should make yourself knowledgeable on the topic and then follow proposed implementation style while keeping type of client as focal point.

Note: The urls referenced on flows are ONLY to guide you on the topic; and must be researched further for better understanding.

Community
  • 1
  • 1
S.N
  • 4,910
  • 5
  • 31
  • 51
  • Thanks. I'll get to it soon. As of now, I haven't opened your links. Do I need to be able to open a browser window for the user to approve the access? – Will Pittenger Apr 10 '20 at 04:09
  • The page you referenced with your "implicit flow" links doesn't list any samples. In another link I found links to https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthDesktopApp/OAuthDesktopApp/MainWindow.xaml.cs, but that doesn't appear to you your implicit flow. Should I use another example? I should mention my app is a WPF thick client. No javascript. – Will Pittenger Apr 10 '20 at 06:31
  • @WillPittenger, As long as you get the terms correct, you are free to research about various flows. I don't have any experience in implementing OAuth in WPF, especially WPF acting as a client. However, if I where to do this, then I would look into possibility of embedding web browser control within your .xaml which allow the WPF window that can handle the redirect for obtaining the tokens. Please check this like and download sample code. You might get some idea. https://github.com/googlesamples/oauth-apps-for-windows – S.N Apr 10 '20 at 11:02
  • @WillPittenger, I spotted a SO answer by Simon Mourier on this subject. That is implementing OAuth in wpf. You can check that as well. https://stackoverflow.com/questions/48321034/wpf-application-authentication-with-google – S.N Apr 10 '20 at 11:05