Is client_id/client_secret a joke for open source apps?
1,591 views
Skip to first unread message
Matt Armstrong
May 15, 2011, 1:09:45 PM5/15/11
to oauth...@googlegroups.com
What is the model for the native app flow for open source apps?
Isn't the "client_secret" in any native app is a bit of a joke, as hackers can and will just hack the binary to extract it, making it basically worthless? The problem with an open source app is worse, as the source is visible.
Is the expectation that each user must create their own client_id?
I notice that Google's OAuth 1.0 supports anonymous clients. Is this planned for 2.0 as well?
Andrew Wansley
May 17, 2011, 2:59:29 PM5/17/11
to oauth...@googlegroups.com
Hey Matt,
We don't expect those secrets to stay secret—so far we're including them mostly so it's convenient to use with libraries today, and expect to stop requiring them at some point in the future.
Andrew
justin kruger
May 17, 2011, 3:23:25 PM5/17/11
to oauth...@googlegroups.com
matt, how would you secure a native/ mobile app?--
--
--
Justin Kruger
Social Media Software Engineer -
San Francisco, CA
--
http://twitter.com/jdavid
http://www.linkedin.com/in/jdavid
--
--
Justin Kruger
Social Media Software Engineer -
San Francisco, CA
--
http://twitter.com/jdavid
http://www.linkedin.com/in/jdavid
Andrew Wansley
May 17, 2011, 4:25:22 PM5/17/11
to oauth...@googlegroups.com
And just to clarify—I'm talking only about installed apps here. Secret secrets are very important for web apps! :)
On Tue, May 17, 2011 at 11:59 AM, Andrew Wansley <aw...@google.com> wrote:
Henri Wiechers
Jun 11, 2011, 6:17:08 AM6/11/11
to oauth...@googlegroups.com
I'm in similar situation and I just want to be absolutely clear on this before I do something stupid.
I'm going to create a client id for an installed application in the Google APIs Console,
then I'm going to (effectively) post the client_id and client_secret publicly so that anyone can use them.
Is the above is the correct procedure for open source native apps?
I'm going to create a client id for an installed application in the Google APIs Console,
then I'm going to (effectively) post the client_id and client_secret publicly so that anyone can use them.
Is the above is the correct procedure for open source native apps?
Chris Johnson
Aug 11, 2011, 5:18:15 PM8/11/11
to oauth...@googlegroups.com
I've been wondering about this also. With OAuth 1.0, much was made about the issue of embedding the consumer secret in installed applications. Google recommended (in the Latitude docs) writing a proxy on Google App Engine with which your application could communicate so that you didn't have to expose your consumer secret. With OAuth 2.0, they seem to be saying just to go ahead and embed your client secret. Is there something about OAuth 2.0 that means that embedding your client secret in an installed application is not a concern?
Forgive my ignorance if this is a silly question. I'll admit that I don't know a hell of a lot about OAuth 2.0.
Reply all
Reply to author
Forward
0 new messages