CasCap.Apis.GooglePhotos
CasCap.Apis.GooglePhotos copied to clipboard
Option to omit client secret during authorization allowing for use of this library in a distributed app
I'm far from an expert on the matters of OAuth and Google's APIs, but here's what I have gathered:
- in a distributed app, such as one that would run on a user's desktop, the app's client secret for the Google API should not be included in the distribution because then it ceases to be a secret.
- the recommendation for such distributed app is to use Authorization Code Flow with Proof Key for Code Exchange (PKCE). This flow does not require a client secret to be included in any authorization payloads
- Google's dotnet library for authorization supports a PKCE flow. In fact, its AuthorizeAsync method has a "usePkce" argument that defaults to true. This seems to have been introduced in June 2023.
There's one caveat though: it seems when you request credentials for your app from the Google Cloud Console and you specify the app as a "Desktop app", Google still wants to see a client secret in the authorization request. However, specifying the app as "Universal Windows Platform (UWP)" -- even if the app has nothing to do with UWP -- opens the door for your app to omit the client secret and only send the client id. For example, this code successful authorizes a user
UserCredential credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(
new ClientSecrets { ClientId = _settings.GoogleAPIClientId },
[ "https://www.googleapis.com/auth/photoslibrary.readonly" ],
"local_user_X",
CancellationToken.None
);
I believe this flow where the client secret is also now the recommendation for single-page apps.