{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Evening l夕情丶 的问题《OAuth Secrets and Desktop Application》','https://www.manongdao.com/q-1362100.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am looking into creating a desktop app in an interpreted language that accesses Google's APIs. From what I can tell, there is a security hole. The client secret would be exposed within the code, and even if I created the application in C++ or Java, the code could be decompiled\disassembled and the secret could in theory be found. Is there anyway around that besides obfuscating the code? I'd like to be able to distribute the code for others to use.
相关问题
- Script fails on SpreadsheetApp.openById - Requires
- Is service account in google calendar api v3 the r
- “Unauthorized” when invoking an API App from Azure
- Angular and firebase route guard using custom clai
- Is there a way to generate an access token from wi
相关文章
- Proper WWW-Authenticate header for OAuth provider
- Get expire time of OAuth session
- Use cases of OAuth2.0
- WooCommerce API OAuth in python
- Post to multiple twitter accounts PHP
- WP8 HttpClient.PostAsync never returns result
- Google SignIn - “access_token” vs “id_token” vs “c
- OAuthException: (#2) Failed to create any app requ
OAuth 2.0 Threat Model and Security Considerations(rfc6819) has listed Obtaining Client Secrets as a threat.
And as Google doc Using OAuth 2.0 for Installed Applications says:
So there are no Client "Secrets" in fact. Trying to obfuscate a secret in installed applications is a futile effort as the secrets can always be recovered using the abundance of reverse-engineering and debugging tools.
Of course, you should do your best to protect secrets but at the end, a highly motivated hacker can always get it in an installed application. So it's the value of the secret vs. difficulty of extraction. The value of the client secret is impersonating the application. It doesn't give any access to user data.
My suggestions: Just take the risk go ahead and obfuscate it. Or you can consider using the proxy pattern(move the secret to a web server acting as an API proxy).