Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get client secret from Google Developers Console in iOS?

Currently i am working on one of old project within that there is a client id and client secret. Now i want to update those with new client id and client secret using another Developer account. I followed each and every step from

https://developers.google.com/+/mobile/ios/getting-started

Google APIs Console - missing client secret

But i can see only client id. Where is the client secret ?

Here i can see only client id enter image description here

like image 783
Shrikant K Avatar asked Aug 18 '15 12:08

Shrikant K


3 Answers

Hey this is step by step process ,hope this helps you...

Step 1: Goto Google Developer console and create new app

enter image description here

Step 2:Enable the google plus api

enter image description here

enter image description here

You can see the enable api in the Enable API's tab which is next to API Library ,which is visible in second image.

Step 3: Goto to credential in API & auth tab then select credentials option

select the type of authentication you require

then you will can see the configure consent screen configure the page with the information you wish to provide .

enter image description here

Step 4: Select the web Application option on top and enter required url's

enter image description here

and finally click create button

once you do that ..you can see ...client id and client secret key...

enter image description here

like image 160
ABS Avatar answered Oct 22 '22 11:10

ABS


When in iOS, the application type of the OAuth credential should be 'iOS'. And then you should pass an empty string as the client secret in your code.

like image 36
Nuno Santos Avatar answered Oct 22 '22 11:10

Nuno Santos


Keeping a secret (that is global to the entire application, not unique per user) in an app is NEVER EVER secure. See https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps This is an amazing article, please spend as much time as needed to understand it.

Because it can't be kept secure, using client secret in iOS is the old, outdated approach. Nowadays you want to use proof-key-code-exchange (PKCE). It's also explained in above link, but in short:

  • Generate a secret key in iOS, it is one time use for that one specific login
  • Only send the hash of the key to the login authority (Google). The original has not left the app yet
  • To get the tokens, you send: <AuthorizationCode,ORIGINAL secret> AuthorizationCode is also a one time use
  • Google can compare the "original secret" to the previously sent hash. It therefore knows you are not an attacker that has stolen the AuthorizationCode

Back to the question. Google let's you create different types of "Apps":

  • Web application: Has a client secret (It's on a backend server, not on a publicly accessible iOS app)
  • iOS app: Has "iOS URL scheme" instead. There are frameworks that use this URL scheme and do the steps I described above for you (including PKCE). Disclaimer: I'm not an iOS developer, but I'm 99% certain
like image 1
Heinzlmaen Avatar answered Oct 22 '22 12:10

Heinzlmaen