2

I have a python script that connects to google drive and upload some files automatically.

The first time the application runs, it asks for a google account to use in its behalf to upload files to that drive.

However, I had to configure a project for this application in google api, and then download the corresponding credentials.json file. I've read the question posted here, and I humbly think this is not the same case, because in my case the application is a python script that you copy in your machine in order to run it.

The question is: is it safe to upload the credentials.json file to github??? The credentials.json file is something like this:

"installed":
    {"client_id":"NUMBERS-AND-DIGITS.apps.googleusercontent.com",
    "project_id":"INVENTED-PROJECT-ID",
    "auth_uri":"https://accounts.google.com/o/oauth2/auth",
    "token_uri":"https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_secret":"A-VERY-SECRET-CLIENT-ID",
    "redirect_uris":
        ["urn:ietf:wg:oauth:2.0:oob",
        "http://localhost"]
    }
}

Edit: Some have suggested that is the same question of other, but in my case I am not revealing my credentials. Moreover, the first time the application run, asks for a google account and ask for permission to upload files to that account's drive.

Raul Luna
  • 121
  • 4
  • I'm sorry, I do feel it's a dupe of the existing question, because the core question is not "How is impacted" but rather "What is the impact of sharing credentials.json", which is common to your question and that question. Impact such as "A hacker could host trojan software or distribute pornography from your account" remains the same in both cases. – gowenfawr Dec 28 '19 at 15:42
  • But this cannot be true... I do use oauth to perform authentication of the user. The first time the application runs, it ask for a google account (gmail account) and ask for permission to upload files to that account google drive. – Raul Luna Dec 28 '19 at 15:46
  • Yet you're uploading credentials.json with client_id and client_secret... whose secret? – gowenfawr Dec 28 '19 at 15:47
  • Good question... I am starting to think that this is not necessary at all. However, it's my first application with google api's and I am not very familiar with the process. Let me check... – Raul Luna Dec 28 '19 at 15:52
  • Tested. It ask for a client secret. I cannot run the application just deleting this entry or leaving it blank. – Raul Luna Dec 28 '19 at 15:56
  • Ok, I am more aware of what I am doing.... :D I am creating an oauth authorization for this application, so the answer is that it is not safe. The problem is for what apparently the application needs it, if later ask for another credentials. – Raul Luna Dec 28 '19 at 16:05
  • Ok, that "credentials.json" file is the permission to use the API itself. I may be charged for this API usage, so it not safe share it. One thing is using the API and another is the google drive user you are putting the files in. – Raul Luna Dec 28 '19 at 16:10

1 Answers1

0

I think I have the answer. The credentials.json file has the authorization to use the API. For create an application that uses the google api's you need two things: the first one is to request google for permission to use that apis. You might be charged for that use. The second is the usage per se: in that case, the application request a gmail account to upload files.

That's why you have a client-secret: the authorization to consume the API, and secondly, the gmail account in which you are uploading the files.

Raul Luna
  • 121
  • 4