Client_secret is missing error when using Google OIDC to authenticate to AWS (STS) - overriding the profile

[srdjantodorovic-SH]

I'm experimenting with Cyberduck. I want to perform basic S3 actions without storing long-term credentials on my PC. The current flow uses Google OIDC to obtain an STS token, but the built-in profile uses a predefined Client ID and appears to use https://cyberduck.io/oauth as the redirect URL.

I want to host my own Google App (User type: internal, aka Workspace only access) and use it's Client ID. I could allow 996125414232-s922bvdt21nceeh5dq1gb6av8plpj7hr client ID (aud) in the trust policy or provide an OAuth client secret in the profile¹, but I don't want to pass the token to a third party or store client secret locally. Those workarounds don't seem ideal for my goal.

I have read that CyberDuck had some verification issues with Google, so my guess is that it was made to simplify the process of creating and handling that part with Google App for the users?

Do you have any suggestions for achieving this?

Footnotes

1. Here is the part that I have chaged for this (client id & redirect) ↩

[srdjantodorovic-SH]

Here is what I get if I use code from the footnote:

[dkocher]

I am currently updating the available profiles ¹ as we have refactored the implementation to authenticate with temporary credentials from AWS STS ² scheduled for version 9.3. I have written a tutorial for integration with Microsoft Entra ID ³ and will do the same for Google OIDC. I will follow up here.

• Google OIDC should require no OAuth Client Secret and setting an empty value in the connection profile should be supported.
• You can reuse our OAuth Client registration 996125414232-s922bvdt21nceeh5dq1gb6av8plpj7hr.apps.googleusercontent.com but would need to make sure not only check the aud in the trust policy but also the sub in the trust policy to match users like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::930717317329:oidc-provider/accounts.google.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "accounts.google.com:sub": [
                        "117386510014501924948",
                        "115652156010006064555"
                    ],
                    "accounts.google.com:aud": "996125414232-s922bvdt21nceeh5dq1gb6av8plpj7hr.apps.googleusercontent.com"
                }
            }
        }
    ]
}

Footnotes

1. STS profiles profiles#160 ↩

2. Interceptor for STS AssumeRole and GetSessionToken #17440 ↩

3. Add tutorial to connect to S3 with Microsoft Entra ID configured as i… docs#615 ↩

[srdjantodorovic-SH]

First of all, @dkocher thank you for the answer :)

I'd like do to something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "accounts.google.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "accounts.google.com:aud": "<prefix_from_my_client>.apps.googleusercontent.com",
                    "accounts.google.com:sub": ...
                }
            }
        }
    ]
}

to have full control of the flow.

If I understood correctly, it is not possible at the moment because of the error that I reported above? Is there any workaround (besides reusing OAuth reg) until official docs and come up?

I managed to make it till this secret error, but I'm wondering if there is any other way or fix which I can use.

Note from the script above, there is no need to create an IdP for it on AWS (build-in one for Google can be used)¹. It may be useful for the docs.

Footnotes

1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Prerequisites ↩

[dkocher]

Thanks for the hint about the built-in support for Google as a IdP on AWS IAM. I have included this in a tutorial in writing for Connect to S3 authenticating with Google.

I have tested this today with the profile available ¹ and the current snapshot build of Cyberduck 9.3.0 and cannot reproduce the error. It would be great if you can give it a try with the snapshot build.

Footnotes

1. https://raw.githubusercontent.com/iterate-ch/profiles/8c3759cba3d6f172e50d25406795e7ad7c91c3f2/AWS%20S3%20(Google%20OpenID%20Connect).cyberduckprofile ↩

[srdjantodorovic-SH]

Sure.

CyberDuck version: Version 9.3.0 (43922)

I think the issue might be the OAuth client.

I don't see "Bundle ID" from the tutorial:

Here is what I see:

My original client was "Desktop" type.

I tried both the profile you linked and my profile (which I used originally when I mentioned the problem):
https://gist.github.com/srdjantodorovic-SH/342ad6811495d0035d8c00aff76f4d8d

[dkocher]

Please attach a debug log if you can reproduce the Client_id is missing error.

[srdjantodorovic-SH]

It seems that I get the error when I use my Client ID in Bundle ID format as redirect link.

If I use your profile, I get the error for redirect URI mismatch. If I change that profile by replacing default redirect link, I get Client_secret error.

Looking at these errors, it seems that I do something wrong with the OAuth Client config, but I'm not sure what it is. I'll provide the log later if you can spot it right away.

[dkocher]

Please try with a iOS application type when registering a client in the Google Auth Platform. It does not require a client secret.

[srdjantodorovic-SH]

@dkocher It does work, but I'm concerned if it makes it less secure if the targeted platform is Windows.

Based on my research, it seems that having the secret in the app is not an issue since Google requires it anyway, and it is considered untrusted (non-secret value) in this case, but I don't know...

Do you have any thoughts on this? What's recommended way to do this securely for Windows users?

---

https://ktaka.blog.ccmp.jp/2025/07/oogle-oauth2-and-pkce-understanding.html
https://docs.cyberduck.io/tutorials/custom_oauth_client_id/
https://stackoverflow.com/questions/60724690/using-google-oidc-with-code-flow-and-pkce