Menu
Similar questions have been asked before (1,2), but not explicitly answered:
Is it safe to store the client id and client secret credentials obtained for an Installed application -> Other for the Google API with the distributed source code of a command line application which will be distributed? Or will it be possible to access user accounts or data without the access_token granted by user consent?
The Google API docs specifies that..:
.. results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)
it is apparent from other documentation that this is not best practice: the client_secret should not even be provided by the service, but it is currently required by the oauth2 and googleapiclient libraries (for Python), and probably by the Google service as well.
The application will use oauth2 based on these official examples.
References, good explanation or documentation that confirms whether this is truly safe or not is much appreciated.
473
Client Id is a publicly visible and it is safe to put it in your website, but it is not safe to put your client secret in js or html code in a website
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
