Google OAuth 2.0 hide information


#1

Hello,
how/where I can safely (hide from the user) store the client_id and client_secret provided by Google for the authentication?


#2

You don’t, you can’t and you shouldn’t try really. Once you make this information available on the client it is possible for someone to reverse engineer your app and get at it, they can also intercept traffic etc. It’s not worth the trouble to encrypt or try to obfuscate it either. So that leaves us with doing it on the server. You could just make a simple wrapper around the bit of the api that returns the token and throw it on a server somewhere then route your oauth calls through that endpoint.