Changing the OAuth2 client secret
1,534 views
Skip to first unread message
Rob
May 14, 2014, 12:37:19 PM5/14/14
to adwor...@googlegroups.com
Hi,
From what I can see, the only option is to generate a new client ID and secret together, meaning any refresh tokens obtained against the old client ID are effectively useless.
If that is the case, what's the point of having a separate ID and secret? Surely they should just be a single property of the application.
This appears to be a design flaw with separating authentication from authorization. I can't periodically change the client secret as a security best practice (like changing your password on a regular basis) without having to get all my clients to re-authorize me.
Rob
May 14, 2014, 12:51:44 PM5/14/14
to adwor...@googlegroups.com
Note that Bing Ads allow changing the client secret for a given ID in their Developer Center... it shouldn't be that difficult for Google!
Ray Tsang (AdWords API Team)
May 15, 2014, 6:59:04 AM5/15/14
to adwor...@googlegroups.com
Rob,
I've noted this down. However, I'm only able to help resolving AdWords API issues. This is more related to the accounts and authentications in general.
Could I trouble you to reach out via Google Accounts API related forums?
Thanks,
Ray
Rob
May 15, 2014, 9:10:34 AM5/15/14
to adwor...@googlegroups.com
Thanks Ray, I've posted a question there...
Rob.
Ray Tsang (AdWords API Team)
May 16, 2014, 8:25:16 AM5/16/14
to adwor...@googlegroups.com
Thanks Rob. I've also notified the relevant teams.
Cheers,
Ray
Rob
Jun 9, 2014, 4:14:52 AM6/9/14
to adwor...@googlegroups.com
Hi Ray,
So far my post on that forum has gained a couple of votes and comments but nothing from the Google team.
This is a serious security request, as we cannot change what is effectively our application password. That could result in leaks or damage to your clients' data if it's not addressed. Please could you escalate this if at all possible.
Josh Radcliff (AdWords API Team)
Jun 9, 2014, 4:48:35 PM6/9/14
to adwor...@googlegroups.com
Hi Rob,
Ray or I will let you know as soon as we have any updates from the relevant teams, but for the time being if you need to reset a client_secret you can do so from the prior version of developer console. To get to the prior version, click the Return to original console link at the bottom of https://console.developers.google.com/project.
Cheers,
Josh, AdWords API Team
Rob
Jun 10, 2014, 4:09:44 AM6/10/14
to adwor...@googlegroups.com
Thanks Josh, I wasn't aware of the original console link. Resetting the client secret there works perfectly.
Josh Radcliff (AdWords API Team)
Aug 29, 2014, 12:34:43 PM8/29/14
to adwor...@googlegroups.com
Hi Rob,
I'm happy to report that you can now reset the client secret in the new Google Developers Console as well by clicking the Reset secret button.
Cheers,
Josh, AdWords API Team
Rob
Sep 8, 2014, 12:18:47 PM9/8/14
to adwor...@googlegroups.com
That's great news Josh, thanks for following up on this.
thg...@gmail.com
Aug 30, 2017, 5:07:23 AM8/30/17
to AdWords API Forum
Hi Josh,
Google account client_id and client_secret leak, not app client_id, i changed the password, these are not reset. Is the change password invalid?
Josh Radcliff (AdWords API Team)
Aug 30, 2017, 8:57:59 AM8/30/17
to AdWords API Forum
Hi,
Sorry, I'm not 100% clear on the issue you described in the post below. Could you provide more details?
Note that if you'd prefer, you can send the details only to me by clicking Reply privately to author on this post.
Thanks,
Josh, AdWords API Team
Reply all
Reply to author
Forward
0 new messages