Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to distribute client_id and client_secret for Google API for an installed application?

Similar questions have been asked before (1,2), but not explicitly answered:

Is it safe to store the client id and client secret credentials obtained for an Installed application -> Other for the Google API with the distributed source code of a command line application which will be distributed? Or will it be possible to access user accounts or data without the access_token granted by user consent?

The Google API docs specifies that..:

.. results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)

it is apparent from other documentation that this is not best practice: the client_secret should not even be provided by the service, but it is currently required by the oauth2 and googleapiclient libraries (for Python), and probably by the Google service as well.

The application will use oauth2 based on these official examples.

References, good explanation or documentation that confirms whether this is truly safe or not is much appreciated.

like image 473
gauteh Avatar asked Apr 02 '17 20:04

gauteh


1 Answers

Client Id is a publicly visible and it is safe to put it in your website, but it is not safe to put your client secret in js or html code in a website

like image 140
rbansal Avatar answered Oct 21 '22 09:10

rbansal