是否“已删除OAuth客户端"来自Google的密钥是否无效? [英] Does "The OAuth client was deleted" from Google mean the keys are invalid?

问题描述

我正在尝试查找 GOOGLE_CLIENT_SECRET 和 GOOGLE_CLIENT_ID 的泄漏值.我在docker中

我看到的最大危险是泄露的凭证包含项目编号，但是仅滥用项目编号非常困难.

I am trying to track down leaked values for GOOGLE_CLIENT_SECRET and GOOGLE_CLIENT_ID. I run this basic flask app here in docker, link it to localhost, edit /etc/hosts to map that to "myserver.local.com" and access the page. When I click Login on the "This app will attempt to authenticate you through Google OAuth 2.0" screen, I get this error

Authorization Error
Error 401: deleted_client
The OAuth client was deleted

Excluding the possibility of restoring the project within 30 days of deletion, can I take this to mean that the leaked keys do not pose a threat? I cannot find them in our projects, so I cannot just delete them myself.

解决方案

The client ID contains the project number. The client ID is constructed the following way:

<PROJECT_NUMBER>-<RANDOM_STUFF>.apps.googleusercontent.com

If you have access to the project, you can access the list of credentials by going to the link https://console.cloud.google.com/apis/credentials?project=<PROJECT_NUMBER>.

In there, you can verify if the client ID has been deleted, and if not, delete it yourself.

You can also check if the project is pending deletion by using the same project number in this command (requires gcloud installed and properly authenticated):

curl -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'Accept: application/json' \
'https://cloudresourcemanager.googleapis.com/v1/projects?filter=projectNumber%3A<PROJECT_NUMBER>'

As per the API definition, if the response has the field "lifecycleState":"DELETE_REQUESTED", it means that the project is pending deletion but still recoverable.

All of these steps are contingent to you having access to the project with the credentials. If you don't have that access, you should find somebody who has. If that project was within an organization, someone with permissions at the organization level should have access to all the projects within.

With all that said, the error does look like it means the client was deleted, and there is no way to recover deleted credentials, at least according to the warning message when deleting one:

The biggest danger I see is that the leaked credentials contain the project number, but abusing only a project number is pretty hard.

这篇关于是否“已删除OAuth客户端"来自Google的密钥是否无效?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！