Hi
I was looking at Java quickstart | Gmail | Google for Developers but I have a question. Why do they include a credentials.json file with client secret.
If someone has someone else’s credentials.json file, can it then be used for bad purposes? Because the login popup will show a name of an app, while another program actually opened it.
I was told to never put a client secret in a program that was running as a client.
Kind regards
Michiel Niesen
Yes — if someone gets your credentials.json with a client secret, they can impersonate your app and potentially trick users, abuse your API quota, or trigger OAuth flows showing your app name. That’s why client secrets should never be in client-side apps.
For safe client apps, use OAuth with PKCE (no secret) or run OAuth on a secure backend.
Great, that confirms my understanding.
However when using PKCE and not providing a client_secret, I get:
{
"error": "invalid_request",
"error_description": "client_secret is missing."
}
when trying to exchange my code for an access token.
Any idea how to get this working without a client secret?
Do not use web app and remember to include
client_id
code
code_verifier
redirect_uri
grant_type=authorization_code
Do NOT include: client_secret
google expects POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded
client_id=YOUR_CLIENT_ID
&code=AUTH_CODE
&code_verifier=ORIGINAL_VERIFIER
&redirect_uri=YOUR_REDIRECT_URI
&grant_type=authorization_code
your mistake was
Created a Web App OAuth client
Tried to “just not send” the client secret
Google rejects it with:
“client_secret is missing.”
No, I used a desktop app. This article Google OAuth2/OIDC and PKCE: Understanding Client Secret Requirements describes exactly what problems i’m having.
Also I find a lot of people online that also say that it doesn’t work with a Desktop app application type. I used PKCE an didn’t provide a client_secret and then I get the error message.
Although OAuth 2.0 + PKCE allows public clients to omit a client_secret, Google’s OAuth token endpoint often still requires a client_secret for Desktop app OAuth clients, even when PKCE is correctly implemented. This is especially common with APIs like Gmail.
This means:
Registering the client as a Desktop app
Using PKCE correctly
Omitting client_secret
still result in:
What works in practice
Include the client_secret even with PKCE (this is what Google client libraries effectively do), or Perform the authorization code exchange on a backend where the secret can be stored securely
TO SUM IT UP
This isn’t a violation of the OAuth spec on the client side, but a Google-specific implementation/policy limitation. Secret-less PKCE for Desktop apps is not consistently supported across Google APIs at this time.