Client Secrets

The Google APIs client library for .NET uses client_secrets.json files for storing the client_id, client_secret, and other OAuth 2.0 parameters.

A client_secrets.json file is a JSON formatted file containing the client ID, client secret, and other OAuth 2.0 parameters. Here is an example client_secrets.json file for a web application:

{
  "web": {
    "client_id": "asdfjasdljfasdkjf",
    "client_secret": "1912308409123890",
    "redirect_uris": ["https://www.example.com/oauth2callback"],
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://accounts.google.com/o/oauth2/token"
  }
}

Here is an example client_secrets.json file for an installed application:

{
  "installed": {
    "client_id": "837647042410-75ifg...usercontent.com",
    "client_secret":"asdlkfjaskd",
    "redirect_uris": ["http://localhost", "urn:ietf:wg:oauth:2.0:oob"],
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://accounts.google.com/o/oauth2/token"
  }
}

The format defines one of two client ID types:

  • web: Web application.
  • installed: Installed application.

The web and installed sub-objects have the following mandatory members:

  • client_id (string): The client ID.
  • client_secret (string): The client secret.

All the other members of this file are optional and the .NET client library doesn't use them.

Motivation

Traditionally, providers of OAuth 2.0 endpoints have expected those who use their services to copy and paste the client ID and client secret from a registration page into working code. This method is error-prone and gives an incomplete picture of the information that is needed to get OAuth 2.0 working. (OAuth 2.0 also requires knowing all the endpoints, and configuring a redirect URI.) If service providers provide downloadable client_secrets.json files, and client libraries are prepared to consume these files, then implementing OAuth 2.0 will be easier and less prone to error.