Recommended Electron oauth2 flow is no longer valid.

[minht11]

From August 2022 Google oauth2 iOS key will no longer support localhost redirects, this was a recommended way for Electron apps to use this library and still is inside the docs.

Given the policy changes what is the new recommended alternative? Just publishing client secret inside the app code?

[komret]

I am also wondering. I ended up with a backend server storing client_secret, but this is not a convenient solution and the library does not seem to support it out of the box. I would like to know:

1. What is the security risk of exposing client_secret?
2. If a server is recommended for storing client_secret and fetching the tokens, what is the best approach to combine it with this library?

[cronon]

I've just faced the same problem, has anybody found a solution yet?

[komret]

We played it extra safe and created a backend authorization service so that we did not have to expose the client_secret, here's the implementation: trezor/trezor-suite#5669. Super annoying, especially if you do not need a backend otherwise.

[Theplayer592]

yh i've run into this problem recently too, and don't already have a backend. I'd much prefer to not have to create a whole sever just for this, so an alternative recommendation would be great.

[danielbankhead]

Hey folks - we're working on improving support for this library on Electron. For now I'll remove this confusing documentation.

Additionally, if you don't want to spin up a separate backend (understandable) you can use GIS's OAuth 2 implicit flow and use its access token for requests: https://developers.google.com/identity/oauth2/web/guides/use-token-model. It's a bit tricky to wire-up with this library, but it is possible.

[Theplayer592]

how do you get around google's insistance on a javascript origin? Electron doesn't really have a URL

[hrueger]

Just as another usecase which is not possible with the current limitations:

I'm working on @cpvalente's https://github.com/cpvalente/ontime to provide support for syncing with google sheets. Since it is an open-source (Electron) app, we cannot include a client secret (not even as a secret at build time, since it can be unpacked easily). Also, we can't require users to create their own google cloud project, setup api keys or oauth and whatnot because that is just too complicated.

Electron doesn't really have a URL

Ontime can be used directly in the electron ui or by pointing a browser to the webserver it automatically hosts. Therefore, we do have a url. However, users can configure the port and when accessing it externally, we don't know the ip in advance. Therefore, we can't set valid web origins in our cloud project...

[hrueger]

@danielbankhead Thanks for taking a look at this.

we're working on improving support for this library on Electron

is there a separate issue tracking that (since this one is now closed)?

[danielbankhead]

Here's a public tracking issue:

• feat: Alternate Runtimes Support #1638

I've closed this via #1635 as outdated documentation was the original issue. In the meantime we're actively working on alternate runtime support.