Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ship oauth2 client_id and client_secret #9

Merged
merged 2 commits into from Apr 3, 2017

Conversation

@gauteh
Copy link
Owner

gauteh commented Apr 3, 2017

this way a user does not need to get his own API key, though it might be
safer. as far as I can see, there should be no way to access mail
without getting the access and refresh tokens with the users consent.

according to: https://developers.google.com/identity/protocols/OAuth2#installed client_id and client_secret is not so-secret in these types of applications, but who know how this works..

a malicious attacker might steal the id and secret and use it in his own
project, this might use the app quota, but should not be able to access
user account.

some more discussion:

@gauteh

This comment has been minimized.

@gauteh

This comment has been minimized.

Copy link
Owner Author

gauteh commented Apr 3, 2017

@odeke-em

This comment has been minimized.

Copy link

odeke-em commented Apr 3, 2017

@gauteh in regards to #9 (comment)

a malicious attacker might steal the id and secret and use it in his own
project, this might use the app quota, but should not be able to access
user account.

that's pretty much like another user using your app ;) We use the shipped client_secret and client_id too in drive, and for the past 3+ years, there haven't been problems except with quota exhaustions from a Google Drive platform bug.

@gauteh

This comment has been minimized.

Copy link
Owner Author

gauteh commented Apr 3, 2017

@gauteh gauteh force-pushed the no-key-public branch from 57f537f to 2ee4d03 Apr 3, 2017
this way a user does not need to get his own API key, though it might be
safer. as far as I can see, there should be no way to access mail
without getting the access and refresh tokens with the users consent.

according to: https://developers.google.com/identity/protocols/OAuth2#installed client_id and client_secret is not so-secret in these types of applications, but who know how this works..

a malicious attacker might steal the id and secret and use it in his own
project, this might use the app quota, but should not be able to access
user account.

some more discussion:

* http://stackoverflow.com/questions/25957027/oauth-2-installed-application-client-secret-considerationsgoogle-api/43061998#43061998
* http://stackoverflow.com/questions/19615372/client-secret-in-oauth-2-0?rq=1
@gauteh gauteh force-pushed the no-key-public branch from 2ee4d03 to efc67d6 Apr 3, 2017
@gauteh gauteh merged commit 5123c7e into master Apr 3, 2017
@aureooms

This comment has been minimized.

Copy link

aureooms commented Jun 19, 2018

Does that mean each client gets its own API key or do we still have to generate our own to avoid hitting api limits as suggested in the README?

@gauteh

This comment has been minimized.

Copy link
Owner Author

gauteh commented Jun 19, 2018

@aureooms

This comment has been minimized.

Copy link

aureooms commented Jun 19, 2018

Do you mean that the default key has highers limits? I am currently going through an initial sync. I generated my own key, downloaded it, and ran gmi auth -c client_id.json. Is that how I was supposed to use it? I was just unsure of the meaning of this pull request. I thought it meant you were generating a personal key as part of the initialization.

@gauteh

This comment has been minimized.

Copy link
Owner Author

gauteh commented Jun 19, 2018

@gauteh

This comment has been minimized.

Copy link
Owner Author

gauteh commented Jun 19, 2018

@gauteh

This comment has been minimized.

Copy link
Owner Author

gauteh commented Jun 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.