I’m currently working on an app which interacts with Gmail API using OAuth2. In that app, I read a file credentials.json for reading client id and secret.
Since these are sensitive data, I want to build them along with the package so that the built executable doesn’t look for credentials.json again. I also don’t want to plainly include the credentials in the code.
Is it possible to attain this?
I’ve used a project called statik for embedding files into binaries. Your embedded files are NOT secure though!
So, the client_id and client_secret can easily be found through the binary?
If it’s there it’s there. Someone else could, if they want to, reverse engineer your binary and extract the data. How about an oauth flow where the user authenticates your app to act on his behalf?
I’m using that flow only. The token and all is generated on the client side only. But to make the authorization request, I’m required to pass in my client credentials(belonging to the app), which is where I’m currently stuck it in deciding whether to go open source or not.
What API are you trying to access? Is it Google? 
There got to be another way, cause you’re not supposed to leave the client_secret with the user in any way.
From what I can read you only need the client_id when using the oauth flow where the user authenticates your app. The mode where you also use your client_secret is for servers where the user can’t access the secret.
Yeah, I did some research and came to that conclusion as well, however I think the question itself does point at a general situation.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.