问题
I am trying to track down leaked values for GOOGLE_CLIENT_SECRET and GOOGLE_CLIENT_ID. I run this basic flask app here in docker, link it to localhost, edit /etc/hosts to map that to "myserver.local.com" and access the page. When I click Login on the "This app will attempt to authenticate you through Google OAuth 2.0" screen, I get this error
Authorization Error
Error 401: deleted_client
The OAuth client was deleted
Excluding the possibility of restoring the project within 30 days of deletion, can I take this to mean that the leaked keys do not pose a threat? I cannot find them in our projects, so I cannot just delete them myself.
回答1:
The client ID contains the project number. The client ID is constructed the following way:
<PROJECT_NUMBER>-<RANDOM_STUFF>.apps.googleusercontent.com
If you have access to the project, you can access the list of credentials by going to the link https://console.cloud.google.com/apis/credentials?project=<PROJECT_NUMBER>.
In there, you can verify if the client ID has been deleted, and if not, delete it yourself.
You can also check if the project is pending deletion by using the same project number in this command (requires gcloud installed and properly authenticated):
curl -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'Accept: application/json' \
'https://cloudresourcemanager.googleapis.com/v1/projects?filter=projectNumber%3A<PROJECT_NUMBER>'
As per the API definition, if the response has the field "lifecycleState":"DELETE_REQUESTED", it means that the project is pending deletion but still recoverable.
All of these steps are contingent to you having access to the project with the credentials. If you don't have that access, you should find somebody who has. If that project was within an organization, someone with permissions at the organization level should have access to all the projects within.
With all that said, the error does look like it means the client was deleted, and there is no way to recover deleted credentials, at least according to the warning message when deleting one:
The biggest danger I see is that the leaked credentials contain the project number, but abusing only a project number is pretty hard.
回答2:
To ensure that your access token is revoked you can perform any of the following actions:
Tokens: delete --> Delete all access tokens issued by a user for an application.
gcloud auth revoke --> Revokes the user account token on the server:
Programatically revoke access
Change password
You can also track your token with the OAuth Token audit log to see when and by who it was used.
来源:https://stackoverflow.com/questions/63081372/does-the-oauth-client-was-deleted-from-google-mean-the-keys-are-invalid