Geek Answers Handbook

Installed Python application and Google client ID

I am a python novice and I want to create a basic Google task client. This will be a native application. The point I can’t get is how to keep the client’s secret secret, as it will be included in the program code.

I searched and found the post, quoting the post on the google forum and basically offering to give it back.

I spent hours trying to understand, but at the moment I have no answer. So, I have two questions:

  • What are the consequences of providing customer privacy?
  • If people see that a secret is dangerous, is there a way to keep it a secret, or is there a way to make a classic login to support application passwords for logging in to your google account?
+8
python google-tasks-api
source share
1 answer

I assume you are talking about OAuth.

Yes, you insert a secret - but no, it is not a secret; see another post here: OAuth - embedding client privacy in your application? .

Google Docs actually say the same thing; from: https://developers.google.com/accounts/docs/OAuth2#installed

Client_id and client_secret obtained during registration are embedded in the source code of your application. In this context, client_secret is not explicitly considered a secret.

And it makes no sense to try to protect him - he must break through the wire to get to Google, and anyone with Fiddler , etc. could watch it in plain text.

As for the impact: the idea of ​​customer secrecy, I believe, is to protect the customer’s supplier (what you are). Theoretically, if I know your client key and secret, I can create a malicious website / client that allows users to enter into legal force, but then deletes all its tasks, and it will look like you are responsible. It probably makes sense to defend against web services, but for the installed client, the user supposedly downloaded it from somewhere (application store, website, etc.), which, I hope, made sure that it was legal.

+4
source share

More articles:


All Articles