Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google's OAuth 2.0 for installed apps and Client Secret not being a secret

Tags:

oauth-2.0

google-oauth

It appears that Google has been modernizing OAuth interactions for native apps as announced initially here https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

and as evidenced by their current documentation pages https://developers.google.com/identity/protocols/OAuth2InstalledApp

I have been able to run the sample console app in the referenced github repo successfully.

This flow exchanges the authorization code for an access token using the client secret among other parameters. However, it is well known (and as stated in the referenced article) client secrets cannot be securely stored in installed apps. The same article states this fact in the following way

The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)

So if this flow is the recommended flow for installed app, should we just not worry about protecting the client_secret and embed it right in the app? If so, what about this flow makes it so?

Also, as the sample shows, a random http redirect url is generated locally which is not registered anywhere in Google Developer Console's Credentials page. This is unlike Azure AD where you have to be specific about the redirect uri when registering a native app.

like image 292
tstojecki Avatar asked Feb 04 '23 08:02

tstojecki

1 Answers

The behavior of Google's authorization server is gated on the type of client you register.

It's an oddity that the "client secret" is required for Desktop and TV clients, but not iOS and Android, however for all 4 native app types, the server treats the clients as non-confidential, and the "client secret" value is effectively an extension of the client id. This is in contrast to web-clients, where it is assumed the client secret confidentiality is maintained, and thus they can be treated differently for actions like incremental auth.

Regarding the registration of redirect URIs, this is also gated on client types. For some types like Web, manual registration is required. For other types like Desktop, the redirect URI is pre-registered (in the case of desktop, http://127.0.0.1:*/*).

like image 162
William Denniss Avatar answered May 02 '23 16:05

William Denniss
Sign in to Comment

Related questions

Passing through URL parameters through Passport OAuth flow
Add custom key/value to JWT token payload or user with keycloak
Nginx proxy for OAuth2 validation
Get Oauth Access Token in Python
How to deal with fragment GET parameters in Vue Router?
Spring security oauth2 fails issuer validation after 30 seconds
Unable to validate access token signature obtained from Azure AD in order to secure Web API
Multiple Access token with one refresh token
Explain Offline Token validation vs Online Token validation in Open ID connect ? Advantages, limitations & tradeoffs
Is Active Directory not supporting Authorization Code Flow with PKCE?
Spring Boot - set default HTTP Oauth2Login() registration/provider
How to authenticate to https://tfspreview.com (MIcrosoft-hosted TFS) using Java command line application?
Spring Security oauth2, why does my auth/token authenticates CLIENT but returns 404?
Symfony2 OAuth2 provider error UserRepository
Connect angularjs webapp to REST API (PHP)
oauth2 authentication support in ejabberd
OpenId Connect Questions -Authorization Code Flow (OAuth 2.0)
Pinterest's official OAuth2 flow seemingly returns an invalid access token
Can't get Oauth2 (Twitter) to work - returns invalid token
Identity Server auth without requesting user permission

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!