Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ship oauth2 client_id and client_secret #9

Merged
merged 2 commits into from Apr 3, 2017
Merged

ship oauth2 client_id and client_secret #9

merged 2 commits into from Apr 3, 2017

Conversation

@gauteh
Copy link
Owner

@gauteh gauteh commented Apr 3, 2017

this way a user does not need to get his own API key, though it might be
safer. as far as I can see, there should be no way to access mail
without getting the access and refresh tokens with the users consent.

according to: https://developers.google.com/identity/protocols/OAuth2#installed client_id and client_secret is not so-secret in these types of applications, but who know how this works..

a malicious attacker might steal the id and secret and use it in his own
project, this might use the app quota, but should not be able to access
user account.

some more discussion:

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Apr 3, 2017

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Apr 3, 2017

@odeke-em
Copy link

@odeke-em odeke-em commented Apr 3, 2017

@gauteh in regards to #9 (comment)

a malicious attacker might steal the id and secret and use it in his own
project, this might use the app quota, but should not be able to access
user account.

that's pretty much like another user using your app ;) We use the shipped client_secret and client_id too in drive, and for the past 3+ years, there haven't been problems except with quota exhaustions from a Google Drive platform bug.

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Apr 3, 2017

@gauteh gauteh force-pushed the no-key-public branch from 57f537f to 2ee4d03 Apr 3, 2017
this way a user does not need to get his own API key, though it might be
safer. as far as I can see, there should be no way to access mail
without getting the access and refresh tokens with the users consent.

according to: https://developers.google.com/identity/protocols/OAuth2#installed client_id and client_secret is not so-secret in these types of applications, but who know how this works..

a malicious attacker might steal the id and secret and use it in his own
project, this might use the app quota, but should not be able to access
user account.

some more discussion:

* http://stackoverflow.com/questions/25957027/oauth-2-installed-application-client-secret-considerationsgoogle-api/43061998#43061998
* http://stackoverflow.com/questions/19615372/client-secret-in-oauth-2-0?rq=1
@gauteh gauteh force-pushed the no-key-public branch from 2ee4d03 to efc67d6 Apr 3, 2017
@gauteh gauteh merged commit 5123c7e into master Apr 3, 2017
@make-github-pseudonymous-again
Copy link
Contributor

@make-github-pseudonymous-again make-github-pseudonymous-again commented Jun 19, 2018

Does that mean each client gets its own API key or do we still have to generate our own to avoid hitting api limits as suggested in the README?

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Jun 19, 2018

@make-github-pseudonymous-again
Copy link
Contributor

@make-github-pseudonymous-again make-github-pseudonymous-again commented Jun 19, 2018

Do you mean that the default key has highers limits? I am currently going through an initial sync. I generated my own key, downloaded it, and ran gmi auth -c client_id.json. Is that how I was supposed to use it? I was just unsure of the meaning of this pull request. I thought it meant you were generating a personal key as part of the initialization.

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Jun 19, 2018

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Jun 19, 2018

@gauteh
Copy link
Owner Author

@gauteh gauteh commented Jun 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants