Google Oauth2 Application Type Web server vs Desktop App?
I am trying to create a web app for my server which can connect my website forms to Google Sheet. While generating the OAuth client ID and Secret I chose "webserver" and I needed to enter a call-back URI to handle the authorization code returned back from Google as a response.
Well, now I created another client id, but this time I chose Application type as "Desktop" and I didn't need to enter any redirect URI. In my PHP app, I used redirect URI as urn:ietf:wg:oauth:2.0:oob.
However, in both cases, I was able to get Access Token and Refresh Token and my Google Sheet API working smoothly.
So my question why I should choose Application Type as "Webserver" and do an extra step by entering "Redirect URI"? What is the benefit of doing so?
You may check a Quickstart Oauthflow here https://developers.google.com/sheets/api/quickstart/php#step_1_turn_on_the
So my question why I should choose Application Type as "Webserver" and do an extra step by entering "Redirect URI"? What is the benefit of doing so?
Security. Web server client will return the auth to your server. Installed will return it to where ever the request came from. If someone got your client id and secret for a web app they couldn't use it. However if someone got your client id and secret for an installed app they could easily use it to impersonate your developer account.
What is client id and client secret.
Think of the Client id as a login and the secret as its password. This login and password identify your project to Google and they identify the developer of that project as you.
You the developer are responsible for this login and password. If it is stolen then as far as google can see it is your application using it google has no way of knowing other wise. If the login and password for a desktop app is stolen someone could put up an app and as far as anyone would know it would appear to be your app.
You create super awesome email app which gives access to a users gmail account. It becomes very popular and a lot of people know the name. Someone steals your client id and secret creates an app that looks exactly like your super awesome email app. There is no way for anyone to know its not. Because its set up as a desktop app this person could then put it up and start harvesting authorization from your potentiate users without them having any idea. It looks exactly like your app only the responses are going to urn:ietf:wg:oauth:2.0:oob which is the host server of the person who put up this app to mimic yours.
Unless your application is running on a users machine its really not a good idea to use installed credentials. That being said theirs nothing to stop you from doing so it will work.
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users