Why does Google OAuth API requires client_secret for the device flow? Is it safe to store the secret in an app that can be downloaded?

Question

RFC 8628 doesn't state that the client_secret parameter is needed for Device Access Token Request: https://datatracker.ietf.org/doc/html/rfc8628#section-3.4

When I do such a request using Google API

$ curl --request POST \
  --url 'https://oauth2.googleapis.com/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=urn:ietf:params:oauth:grant-type:device_code' \
  --data 'device_code=...' \
  --data 'client_id=...'

I get the following error:

{
  "error": "invalid_request",
  "error_description": "Missing required parameter: client_secret"
}

If I pass client_secret, it works.

I'd be grateful if anyone could answer my two questions:

1. Why does Google API require client_secret for the device flow? OAuth 2.0 for TV and Limited-Input Device Applications doesn't offer any explanation.
2. Is it safe to expose client_secret, assuming that my client belongs to the "Client ID for TV and Limited Input" type? I assume it's generally discouraged, so I'd like to limit this question to Google API only. My application can be downloaded, and the secret is basically hardcoded, thus exposed to everyone. If the secret gets leaked, I'm wondering what are the implications.

Answer 1

You are sending the request to the standard oauth2 endpoint

https://oauth2.googleapis.com/token

While the device code endpoint is

https://oauth2.googleapis.com/device/code

Consulting this page as you are using the standard oauth2 endpoint you are probably falling under this section

Instead of this section which would expect you to be using the device endpoint.

This is the example found on that page for use with a TVs and Limited Input devices client.

curl -d "client_id=client_id&scope=email%20profile" \
     https://oauth2.googleapis.com/device/code