I am creating a desktop application that should be able to store and download date from Google Drive. I am using Google.Apis.Drive.v3 to handle the Authorization flow. I am facing an issue how and where to store client_secret that is needed in authorization flow.
This application should be available for wide public so the idea of every user creating its credentials is not acceptable.
I tried:
What are other options to achieve desired result?
Thanks for your help, TheSecurity
hard-coding the ClientId and ClientSecret directly to code which works but it is not ideal due to the system versioning and possible secret loss caused by program decompilation.
I am going to go out on a limb and say your creating a installed application. You should do as you have done and compile the client id and client secret into your application. You should not be checking these into your version control system so you will need to set it as a secret as part of your build script so that it is only added at build time.
As for the issue of it being decompiled, there is no workaround. I have asked google about this serval times over the last ten years. They know your app could be decompiled but there's really no other option.
My creative work around
Serval years ago I had a client. What we did was when the app was installed by the user it would make a call to an api end point on our servers, which would return the client secret. This was then encoded into a file hashed to heck and back so that it was not clear text and then the application would run. This did require that the person installing the app had an internet connection to get the secret from our servers.