4

A few months ago I was experimenting with a project which needed to read a Google sheets page. It didn't end up going anywhere, but today I accidentally checked the project, including credentials.json into my version control. A bit of poking around on Google doesn't reveal anything obvious as far as a control for this credential.

  • What did I just give up?
  • Is it possible to revoke this credential?
  • How worried should I be about it?

The redacted credentials.json follows:

{
    "installed": {
        "client_id": "1xxxxxxxxxxx-xxx7xx2xxxxx5xxxxxxxxxxxxx3x5x45.apps.googleusercontent.com",
        "project_id": "quickstart-1xxxxxxxxxxxx",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_secret": "xxx4xx8xxxxXXXXXxxxxx3xx",
        "redirect_uris": ["urn:ietf:wg:oauth:2.0:oob", "http://localhost"]
    }
}```
kwan3217
  • 143
  • 3
  • 1
    I'm not even really sure if this has anything to do with OAuth. I don't pretend to understand what OAuth even is (it seems to be an algorithm protected by extremely cryptic documentation). That was just one more thing getting in my way of actually doing what I wanted, so I tried to follow a recipe without attempting to understand, and ended up with this json file. A great answer would be a recipe for what to do to revoke the credential, without knowing a lot about how OAuth works. – kwan3217 Aug 09 '19 at 19:45
  • @kwan3217 OAuth is not an algorithm. OAuth is a protocol for authorization. –  Aug 10 '19 at 19:36

1 Answers1

4

The short answer is "not much" but read the reference posted by Vipul.

The json you have is the authentication credential that you create when you set up the oAuth consent page for your project. Your application will use this to identify itself to Google and then your users will authorise that your application can access their data. Theoretically if your application has been given access by a user then anyone with that json can impersonate your application (as the reference says) but when you set up the Client ID you also set up the redirect URL so that should prevent someone actually completing the oAuth using your credentials..

You should, if you have not done so already, go into your project and then in the project / credentials page you will see a list of all the oAuth2.0 client IDs and you will be able to delete your id. See doc

To delete a client ID, go to the Credentials page, check the box next to the ID, and then click Delete.

Aside: Posting secrets into Github and then removing them from history is tricky and yes the Google oAuth documentation isn't the easiest beast to follow.

Unicorn Tears
  • 1,189
  • 4
  • 6
  • That doc link led me to the page I was looking for. I didn't see anything on managing the credentials -- it kept asking me if I wanted to create a credential, so maybe the old one expired? Anyway, since as I said this was a failed experiment, I just deleted the whole project. – kwan3217 Aug 09 '19 at 21:42
  • > read the reference posted by Vipul. This seems to be missing. – oligofren Aug 21 '20 at 07:46