Currently I have a native PC application that builds and uploads a configuration to an embedded Linux device (i.e. the client). This device connects to Google Calendar via their OAuth2 API. The configuration requires:
- A resource owner to login to the Google admin console and download the JSON containing the client secret
- Import the JSON file into the software and authorize the account via one time code and web browser
- Connect to the client (which is password protected) and use the now authorized JSON file to connect it to get the tokens and communicate with the server
Steps 1 and 2 are typically handled by the IT department and step 3 is typically handled by a third party integrator. Therefore, once authorized, the software encrypts the JSON file, password protects the configuration, and can be sent to said 3rd party.
Is encrypting the JSON file and password protecting the configuration enough? Theoretically this file can now be used on any hardware the software can connect to so there is a risk the credentials will be misused. Removing the JSON file from the software would make deployment much less seamless.
Is there an alternative besides education about minimum acceptable risk? The only thing I can think of to keep both parties happy(er) is to somehow require the token to be reauthorized after a session but I'm not sure anything like that can be imposed on the Google server.
