Database Reference
In-Depth Information
application to Google APIs. On the Cloud Console page for your project,
if you click Credentials under APIs & auth, you can see the Client ID for
your project. Click the Download JSON link in the Client ID section to
download a
client_secrets.json
file. The client secrets JSON file for
the BigQuery end-to-end project looks like this:
$
cat client_secrets.json
{
"installed": {
"client_id":
"857243983440.apps.googleusercontent.com",
"client_secret": "9z0P5eC1WjYtRug90aKiejns",
"redirect_uris": ["urn:ietf:wg:oauth:2.0:oob"],
"auth_uri": "https://accounts.google.com/o/
oauth2/auth",
"token_uri": "https://accounts.google.com/o/
oauth2/token"
}
}
Despite being called “secret,” we've included the
client_secret
for our
project. That is because, as used by BigQuery, the
client_secrets.json
file doesn't contain any important secrets. If you use other Google APIs such
as Google Maps, this information may be more sensitive. In BigQuery, the
client ID and client secret fields serve only to identify the application making
the request. For instance, if you look through the sources for
bq.py
, the
client secret is provided right there in the source:
$
grep client_secret bq.py
'client_secret': 'wbER7576mc_1YOII0dGk7jEE',
The reason this “secret” is not so secret is that all access control and
authentication is done with respect to users making the request, not the
application. So if someone steals your
client_secret
, she can
impersonate your application (which has no special rights) but not any
users.
The
auth_uri
and
token_uri
fields in the
client_secrets.json
file
tell the OAuth flow which Authorization Server to talk to. The
