Google OAuth - Keeping Client ID Secrecy

Question

Google OAuth - Keeping Client ID Secrecy

When using OAuth in a JavaScript client for Google endpoints, how do I keep client id confidential?

How to implement 0Auth in Google endpoints Google. The JavaScript client is described in detail here . In the code snippet below, the client ID is passed as an argument to the OAuth method.

gapi.auth.authorize({client_id: CLIENT_ID, scope: SCOPES,
    immediate: mode}, callback);

Since the end user will receive the script file in clear text, regardless of the use of HTTPS, how would you avoid passing the client ID to each user you serve? In the end, it would be pretty easy to comb JavaScript code to find the client ID.

+4

oauth oauth-2.0 clientid webclient google-cloud-endpoints

Marc M. Mar 08 '14 at 8:00

source share

1 answer

willlma · Accepted Answer · 2014-03-08T08:45:55+0000

No. Anyone can see and intercept him (as you stated), which is the root of the problem of the implicated deputy.

This is why you check your tokens . For a simple explanation of token validation and a confusing substitute problem, check out this big question and answer on How and why Google OAuth token validation is performed .

Google OAuth - Keeping Client ID Secrecy

More articles: