everyone. I'm recently learning OAuth authentication. I'm playing around with google's oauth api. In the tutorial for Google Sign-In for server-side apps, in the third step - Initialize the GoogleAuth object, you need to provide the client id to initialize the GoogleAuth object. I'm just wondering if we need to keep the client id secret because right now anyone can find out what the client id is by looking into the javascript.
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
You don't need to hide the client ID, provided that you restricted access to specific JavaScript origins and redirect URI's on the server side. See more details on this Quora thread or this IETF thread.