Please bear in mind that I'm a noob and rather new to oauth2. I wanted to get a feeling of oauth2 and play around with it. For this I've used offlineimap to connect to my gmail account and retrieving email.
let me copy some config file which I will use to state my general question
oauth2_client_id = clientId
oauth2_client_secret = clientSecretToken
oauth2_request_url = requestUrl
oauth2_refresh_token = refreshToken
type = IMAP
remotehost = imap.gmail.com
remoteuser = [email protected]
remotepass = mailpasswd('gmail')
As far as I understood the client_id is used to identify me as me :) the request url is just my connecting point on the google site for an outside app. The refresh token is used to generate an actual access token.
The client secret, as far as I understood is a shared secret between the app and gmail to convince gmail that the correct app is asking for certain access.
Question If I understood this correctly the refresh token and the client secret should be "secret". Does this mean it is dangerous to put these information in such a config file? Should we encrypt it like the password (with gpg for example)?
The last point which is not 100 clear to me in oauth2 is the following: Do I understand it correctly that I need to provide my credentials (username / password) since for oauth2 basically assumes that I'm logged in?
Is it fair to say all what oauth2 does on a high level is to ensure that a certain outside app gets a certain access to my gmail. It's a granting for a specific app to specific data. But I still need to provide the my credentials to log in to gmail.
Imagine you use a public code repo as github for example and you push your code there together with the config file you are using. You've just exposed your secrets to the whole world and I cannot tell you how many times people have done stuff like this.
If your code is not public, that's better but make sure that your web server does not serve the config file when requested directly. As long as no one can access it once the whole thing is live, you are safe.
Oh and just to clarify how the refresh token works .... it is used to extend the life of a previous token which either expired or was close to expiration so you don't have to request a new one.
If it was me I would encrypt all 3, meaning ClientID, ClientSecret and RefreshToken.
Think of it this way, the ClientID is your username and the ClientSecret is your password.