Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
According to facebook oauth2 docs, client side flow doesn’t require client secret param. Client side flow can be used on both native and mobile web apps.
However google’s native oauth2 flow require client secret http://code.google.com/apis/accounts/docs/OAuth2.html#IA.
In this case client secret can be stolen by hacker using reverse engineering tools.
Can somebody clarify why it was done this way?
According to a post from a Googler, the main reason is that they use the same libraries for server-side apps and native apps. It sounds like they don’t consider client_secret to be sensitive in the context a native app, but they plan to phase it out for the installed app flow eventually.
From https://groups.google.com/group/oauth2-dev/browse_thread/thread/1e714924ebcc7e60/edfaaad5830ff2e8 :
While that might sound bad, keep in mind that OAuth was never intended to prevent malicious users from forging requests in the context of your mobile/desktop app.
If you’re concerned about exposing client_secret, there is also the client-side flow described here: http://code.google.com/apis/accounts/docs/OAuth2.html#CS As far as I can tell, the client-side flow doesn’t require client_secret and would work fine from a desktop or mobile app.
-Chris