It's about open source apps which need to make use of the 'Authorization Code Grant' rather than an implicit grant.. Am I allowed to embed the 'Client Secret' into code which is publicly available as open source? Of course there is no way of effectively securing the client credentials of an open source app (technically the credentials could be hidden but never secured). I wasn't able to find any information about this topic neither in the forums, the docs nor the developer agreement. Thanks in advance.
rclone author here... I should note that that is an encrypted version of the secret, not the actual secret. This isn't a perfect solution for lots of obvious reasons (please don't spell them out in replies to this message ;-), but it was the best I could come up with without running an external service which would handle sensitive authentication information and potentially giving me access to lots of my users accounts.
The security team has confirmed that this functionality is not available. If the client secret goes to open source code that means it becomes public and theoretically anyone can use same client ID/secret to impersonate this client. This is completely in violation to the consent provided by the customer that their information can only be accessed by a particular third party.
Just wondering if there's any additional info on this question? I'm considering starting work on an application that would fall into the same situation. I know of one similar app (acd_client in Python) which uses an AppSpot page to accomplish authentication then passes the token back, but it seems less than optimal secutity-wise to have to pass the info over from a remote app when it could all be done from the app itself. My app would also be command line based like acd-cli, so it complicates things to have to copy/paste web links around to complete authentication. Thanks in advance for any updates!