When is it ok to make OAuth client secret public?

14 Jan 2017

I've found that it's very strange that gcloud-sdk contains a client secret. One public client secret is in lib/googlecloudsdk/core/config.py on the line 165.

I've asked around and took a while to understand why it was ok.

The reason is:

gcloud uses public APIs. Therefore, I can just create my own client ID and secret and use them with gcloud. There's no reason to steal gcloud's client secret.