example - google drive client secret

Google Drive SDK-client secret-how secret is it? (2)

According to the Google Drive SDK documentation you need to register your custom application with your Google account to obtain a client-id and client-secret information. You can then use these to build the link for your users to obtain access/refresh tokens.

According to some introductory guides on oAuth I've read, the client-secret information should be kept secretly in some cases and in some not. I'm building a Maven plugin in Java and it seems that you can hardly keep the value secret in this case.

Is it ok to release my code as open source including the client-secret information? Or does it mean a potential risk for me? And if it's not ok then how can I allow other people to use the plugin without disclosing the client-secret value?


Answer #1

It depends what you’re releasing. If you’re making a library that other people are going to use to build apps then no, they should register & use their own client secrets for their own apps.

If you have an app that you’re releasing and also want to post the source code because you're a good citizen, I’d also leave the client secret out of the posted source code; people who want their own versions of the apps should register their own clients.

Of course, anything that's compiled into a mobile app isn't really much of a secret any more, because mobile devices can't keep secrets.

Answer #2

Release the code without the tokens and explain how those using your code can get their own. Otherwise people might abuse yours or copy them for other projects. Otherwise you can burn your quotas and also if it gets copied into other apps, those will appear as yours ehen the permission dialog pops up to the user (with your app name and logo)