android - Why Google native oauth2 flow require client secret?

Question

According to facebook oauth2 docs, client side flow doesn't require client secret param. Client side flow can be used on both native and mobile web apps.

However google's native oauth2 flow require client secret http://code.google.com/apis/accounts/docs/OAuth2.html#IA.

In this case client secret can be stolen by hacker using reverse engineering tools.

Can somebody clarify why it was done this way?

Answer 1

According to a post from a Googler, the main reason is that they use the same libraries for server-side apps and native apps. It sounds like they don't consider client_secret to be sensitive in the context a native app, but they plan to phase it out for the installed app flow eventually.

From https://groups.google.com/group/oauth2-dev/browse_thread/thread/1e714924ebcc7e60/edfaaad5830ff2e8 :

We don't expect those secrets to stay secret—so far we're including them mostly so it's convenient to use with libraries today, and expect to stop requiring them at some point in the future.

While that might sound bad, keep in mind that OAuth was never intended to prevent malicious users from forging requests in the context of your mobile/desktop app.

If you're concerned about exposing client_secret, there is also the client-side flow described here: http://code.google.com/apis/accounts/docs/OAuth2.html#CS As far as I can tell, the client-side flow doesn't require client_secret and would work fine from a desktop or mobile app.

-Chris