How safe it is to store Google OAuth 2.0 client secret on user laptop? #15528
Unanswered
markus22-22
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Dear Cyberduck community
We would like to give users in our small organisation the ability to use Cyberduck with our custom Google OAuth 2.0 client ID/secret, so we don't hit API quota limits with the generic Cyberduck ones.
So when creating a .cyberduckprofile following the instructions here (https://docs.cyberduck.io/protocols/profiles/google_client_id/) I am wondering how safe it is to create a generic OAuth 2.0 set of credentials for the whole organization, put it inside the cyberduckprofile file and share the file with users.
How safe is this approach?
At a practical level, even if the secret is stolen, the user still needs to authenticate to Google. There are some theoretical attacks where a malicious agent could impersonate the app (i.e. Cyberduck) but I think the likelihood is very very minimal for this to happen.
In any case, it is equally safe/unsafe than using Cyberduck default ones I guess?
Any feedback would be greatly appreciated.
Cheers
Beta Was this translation helpful? Give feedback.
All reactions