Google's OAuth 2.0 for installed apps and Client Secret not being a secret

后端 未结 1 1016
情话喂你
情话喂你 2021-02-10 18:41

It appears that Google has been modernizing OAuth interactions for native apps as announced initially here https://developers.googleblog.com/2016/08/modernizing-oauth-interacti

相关标签:
1条回答
  • 2021-02-10 19:25

    The behavior of Google's authorization server is gated on the type of client you register.

    It's an oddity that the "client secret" is required for Desktop and TV clients, but not iOS and Android, however for all 4 native app types, the server treats the clients as non-confidential, and the "client secret" value is effectively an extension of the client id. This is in contrast to web-clients, where it is assumed the client secret confidentiality is maintained, and thus they can be treated differently for actions like incremental auth.

    Regarding the registration of redirect URIs, this is also gated on client types. For some types like Web, manual registration is required. For other types like Desktop, the redirect URI is pre-registered (in the case of desktop, http://127.0.0.1:*/*).

    0 讨论(0)
提交回复
热议问题