Best practices for desktop apps using OATH2

227 views
Skip to first unread message

Eric Jacksch

unread,
Oct 8, 2020, 9:42:10 AM10/8/20
to google-cicp-discussion
Greetings,

Apologies in advance if I've picked the wrong group -- any pointers are greatly appreciated.

I'm a cybersecurity consultant looking at a desktop app that uses OATH2 to access data in the user's gmail account.

As I understand it, the application itself requires a ClientID and ClientSecret (obtained through the developer console) in order to start the process. Then it launches a browser so that the user can authenticate to Google and obtain a token.

What is the best practice for storing the application's ClientID and ClientSecret? 

Is hard coding them considered acceptable?

What are the security implications of having potentially thousands of users running the same desktop software and potentially extracting the ClientID and ClientSecret?

Thanks,
Eric


Jason Gawrych

unread,
Oct 9, 2020, 9:47:12 AM10/9/20
to google-cicp-discussion
Hi,

I would suggest reading through the attached article [1]. This article will provides recommended policies on how to secure the Oauth client and the access token that is given. It also provides other best practices to follow as well.

Eric Jacksch

unread,
Oct 21, 2020, 10:29:46 AM10/21/20
to google-cicp-discussion

I did read the Google docs, but they unfortunately don't address the issue.

For a desktop app, the Google API Console provides a Client ID and Client Secret for the app.

Assuming that the app will be widely distributed, what’s the practical solution for dealing with the Client ID and Secret? It doesn’t seem practical to request one for each separate desktop install, but if it is included with the desktop app any user could potentially reverse the app and obtain the Client ID and Secret.

I’m trying to understand if I’ve missed something or what the best practice is in this case.

Any info or pointers greatly appreciated.

Vivak Patel

unread,
Oct 27, 2020, 12:19:02 PM10/27/20
to google-cicp-discussion
Hi Eric

Although I can't comment on a practical solution for how to store the Client Id and Secret, there is a OAuth 2.0 Security Best Current Practice document which thoroughly highlights best practices. I'm hoping this helps shed some light.

You can also post this question on StackOverflow Oauth for a larger audience and greater visibility.

Reply all
Reply to author
Forward
0 new messages