stackoom
  简体   繁体   中英

Google Drive SDK - client secret - how secret is it?

 原文  2013-09-16 12:57:17       java/ maven/ oauth/ google-drive-api/ google-oauth

Question

According to the Google Drive SDK documentation you need to register your custom application with your Google account to obtain a client-id and client-secret information. You can then use these to build the link for your users to obtain access/refresh tokens.

According to some introductory guides on oAuth I've read, the client-secret information should be kept secretly in some cases and in some not. I'm building a Maven plugin in Java and it seems that you can hardly keep the value secret in this case.

Is it ok to release my code as open source including the client-secret information? Or does it mean a potential risk for me? And if it's not ok then how can I allow other people to use the plugin without disclosing the client-secret value?

3 answers

solution1
 3  2013-09-16 13:37:14

See Google's documentation on OAuth 2.0 for Installed Applications :

The Google OAuth 2.0 endpoint supports applications that are installed on a device (eg Mobile, Mac, PC). These applications are distributed to individual machines, and it is assumed that these applications cannot keep secrets.

You should be fine releasing the secret. The only risk is that some rogue user "burns up" all your quota. Per-user quotas may help mitigate this issue if it arises.

solution2
 2  2013-09-16 15:54:51

It depends what you're releasing. If you're making a library that other people are going to use to build apps then no, they should register & use their own client secrets for their own apps.

If you have an app that you're releasing and also want to post the source code because you're a good citizen, I'd also leave the client secret out of the posted source code; people who want their own versions of the apps should register their own clients.

Of course, anything that's compiled into a mobile app isn't really much of a secret any more, because mobile devices can't keep secrets.

solution3
 1  2013-09-16 15:03:48

Release the code without the tokens and explain how those using your code can get their own. Otherwise people might abuse yours or copy them for other projects. Otherwise you can burn your quotas and also if it gets copied into other apps, those will appear as yours ehen the permission dialog pops up to the user (with your app name and logo)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to generate oauth token, client id and secret using gcloud or Google Cloud Java SDK Problem with the Google Drive API I not found the client_id and client_secret how to get the client secret from okta application using okta java sdk How to keep the app secret a secret? How to use a PKI certificate instead of client secret? Google Cloud Storage Connection with Access-Key and Secret-Key (without client-secret json) Google Sheets use API key instead of client_secret.json google cloud secret management Google secret manager How to provide access to protected endpoint with provided client id and client secret?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM