The google cloud SDK provides a convenient mechanism for authenticating their CLI by opening a browser and doing an OAuth2 token exchange which redirects back to a temporary web server running on localhost. You can find the meat of the implementation here: https://github.com/google/oauth2client/blob/master/oauth2client/client.py#L1805
Digging into the source code of the google cloud SDK I found that they actually just hard coded a client_id and client_secret into the application. They call this method out here: https://developers.google.com/api-client-library/python/auth/installed-app
The above documentation states: “The client ID and client secret obtained from the API Console are embedded in the source code of your application. In this context, the client secret is obviously not treated as a secret.”.
Is it safe / possible / appropriate to use the new OIDC compliant Third-Party Clients to safely embed a client id and secret to enable CLI based web flow token generation?