1

Question

If InstalledAppFlow requires client secret json file to perform oauth2 authorization, how actual real-life applications using Google API are distributed?

Is client secret json file should be considered as part of application and included as constant?

Context

Currently I am learning how to use oauth2 to authorize google APIs access with python module google_auth_oauthlib.

And I found that Oauth2 authorization process itself require client secret files for InstalledAppFlow authorization method, but I never seen an application that asks for authorization asking for client secret.

After countless searches all I could find about it was this, from google identity docs.

The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)

And from google cloud docs

Save the credentials file to client_secrets.json. This file must be distributed with your app.

Is this explaining that I should embed(include) client secret as constant in the code itself?

jupiterbjy
  • 2,882
  • 1
  • 10
  • 28

1 Answers1

2

The issue with the client id and client secrete is that they need to be kept secure. Googles TOS requires that developers keep their client id and secrete secure

Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.

This can cause issues with for example open source applications. Can I really not ship open source with Client ID?

I have had a few conversations with the Oauth2 team at google over the years. Installed applications those that are compiled anyway can compile the client id and client secrete internally however that would not stop anyone from decompiling the application and retrieving the client id and client secret.

I was told that they are aware of that issue and that there is really no way around it.

I have seen other option where the client id and client secret would be sored on the server and then the installed application would request them from a web api. This is another option but you are sending them across HTTPS it should be considered secure even if you double encrypt them.

The fact of the matter is there really is no way around it. The main thing is that you should not release an application with for example a settings file where the client id and client secrete appear in clear text that would IMO be to great a risk you would need to compile it into your application or at the very least encrypt it some how.

You wont stop someone who really wants to get it from getting it but you will stop most people.

Why installed apps are the issue.

There are serval types of applications. Mobile, web, installed.

With mobile and web there are ways of configuring the client so that you can ensure that they only work form your server. With Web you have a redirect uri, with mobile there is the actual mobile api id.

With installed applications this is not possible because they mostly run on localhost. There is no way for you to know where the app is running so they are left open. So if anyone got ahold of your client id and client secret then they could use it for their app. Users would have no way of knowing it wasn't your official app and neither would google.

As you have a python script why not consider instructing your users in creating their own client id and client secret then they will be independent.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Considering I am python coder it would be just plain text, wonder how applications like streamlabs OBS deals with it... Will accept this as answer if I see no other answers for next 7 days. – jupiterbjy Aug 10 '21 at 10:14
  • You cant release it plain text your going to have to do it some other way. Encrypt it somehow. – Linda Lawton - DaImTo Aug 10 '21 at 11:18
  • Found new contradicting info from [Google cloud docs](https://cloud.google.com/bigquery/docs/authentication/end-user-installed), saying that client secret has to be bundled with app. Could it be google devs not having enough conversations internally? – jupiterbjy Aug 10 '21 at 11:37
  • 1
    Yes it has to be bundled with the app but you understand that if soeone has your client id and your client secrete for an installed client which by nature has not way of locking down the redirect Uri / ip address. That anyone can use it to create their own app to mimic yours and there will be no way for the user to know its not you. If your app then gets baned by google there will again be no way for google to know it wasnt your app. – Linda Lawton - DaImTo Aug 10 '21 at 11:40
  • Redirect URL wouldn't be working for my usage cases, I'd better find ways to encrypt it somehow, I count this as an answer. Do you mind adding your last comment on your answer body - so others can see it better? – jupiterbjy Aug 10 '21 at 12:02
  • 1
    I have written serval installed applications for clients over the years, there is no really good solution for this. – Linda Lawton - DaImTo Aug 10 '21 at 12:39