I am developing an installed application that accesses google-api through OAuth2. There are some security issues that I currently do not know for a solution. It doesnβt matter how difficult it is for me to confuse my secret key, which a certain person can extract and use. Two problems arise from this:
someone uses my client secret to change user data:
it still seems that the installed application should be allowed again when the update token is not used. However, I'm not sure if this is part of the client api that I use, or if it is provided on the server side. If this is provided on the server side, I am happy with that :)
someone uses my client secret to exceed the access limit:
Well, that depends on Google. Until I pay, I have a free quota, and it can be exhausted. Therefore, someone can use the secret of my client to exhaust the quota, and no other client will be able to get data about him :( I canβt think of a real solution for this, and never upgrade the service to a paid level.
The only safe solution that comes to my mind is to have a web server as a gateway that interacts with Google and passes the access token to the client. Or maybe it even holds tokens and simply passes the requested data (after user authentication (openid ... whatever))
As a conclusion: I do not have a web server that I could use as a gateway. Therefore, while user data is protected (no one can access it with a stolen secret client without giving the user access to new tokens), I can use the free quota limit and see how quickly it is exceeded, and never update it.
I would be happy for any comments on this topic. Thanks!
source share