How do I store the client secret in my mobile application for accessing the endpoint 'convert-token'?

[dropTableUsers42]

I am setting up a Django backend REST API which served data to my android application.

Currently the following happens:

1. The android application authenticates with Google OAuth2,0 and obtains an access token
2. The android application sends the access token along with the client secret and client id generated by django-oauth-toolkit to the convert-token endpoint, and in returns receives an access token to access the protected API
3. The server then serves private data to the android app whenever it makes a request having the access token in the header

Now if I store the client id of step 2) in the android app, then what's to stop a person from decompiling the apk, getting the client secret, and making the convert-token request, bypassing my android app, and using the returned access token to access/modify private data in my server REST API in an uncontrolled way?

[wagnerdelima]

Hi all.

My team and I are constantly using this framework and it seems it has died out there. I contacted the owner by email asking if he would add some of us as maintainers so we could continue to improve it. However we didn't get a response.

I am publishing the project under my profile and we are going to continue to invest time in it.

So I would like to gently ask you to contribute to this project on: https://github.com/wagnerdelima/drf-social-oauth2

Thank you for understanding.