Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the usage of the client_secrets.json file?

Tags:

google-api

I am working on writing a program using the Google Tasks API in Python. I have downloaded and run the sample application from Google, and it comes with a file called client_secrets.json. I understand that the file is used for OAuth authentication, but my question is should I distribute this file to users? Should I push it to my public source repo? Or is it supposed to be kept secret? If I shouldn't share it, how would other users do the authentication?

Thanks for reading.

like image 602
Ian Finlayson Avatar asked May 20 '14 13:05

Ian Finlayson


People also ask

How do I use Google Drive with client secret JSON file?

Go to Google API Console. Go to the Credentials page. Click the Download JSON button to download the client secret JSON file and securely store it in a local folder. This JSON file can then be used by Google Drive components and metadata wizard to access Google Drive via the OAuth method Installed Application (JSON) .

What is Client_id and Client_secret?

Registered OAuth applications are assigned a unique Client ID ( client_id ) and unique Client Secret ( client_secret ). By sending the client_id and the client_secret , you are letting Sell API know which application is accessing the API. Only requests to the Authorization Server require client credentials.

What is a client ID?

A Client ID is an identifier associated with an application that assists with client / server OAuth 2.0 authentication for ArcGIS client APIs . Developers create a client ID by defining an application on their developer dashboard.


1 Answers

The Google API Client Library OAuth2 docs states,

Keep your client secret private. If someone obtains your client secret, they could use it to consume your quota, incur charges against your Developers Console project, and request access to user data.

So don't commit or otherwise distribute the file.

If you want to publicly share your application source code, instruct others to use their own Google Developer account to register their own Google Developer project and generate their own app OAuth credentials (client_secrets.json file) for use with their "installation" of the app.

If you were making the application commercially available, you would seemingly need to share the app credentials with them in a trusted, legally protected, or secure manner.

like image 75
user3490818 Avatar answered Oct 05 '22 19:10

user3490818