I'm far from an expert on the matters of OAuth and Google's APIs, but here's what I have gathered:
in a distributed app, such as one that would run on a user's desktop, the app's client secret for the Google API should not be included in the distribution because then it ceases to be a secret.
the recommendation for such distributed app is to use Authorization Code Flow with Proof Key for Code Exchange (PKCE). This flow does not require a client secret to be included in any authorization payloads
Google's dotnet library for authorization supports a PKCE flow. In fact, its AuthorizeAsync method has a "usePkce" argument that defaults to true. This seems to have been introduced in June 2023.
There's one caveat though: it seems when you request credentials for your app from the Google Cloud Console and you specify the app as a "Desktop app", Google still wants to see a client secret in the authorization request. However, specifying the app as "Universal Windows Platform (UWP)" -- even if the app has nothing to do with UWP -- opens the door for your app to omit the client secret and only send the client id. For example, this code successful authorizes a user
I'm far from an expert on the matters of OAuth and Google's APIs, but here's what I have gathered:
There's one caveat though: it seems when you request credentials for your app from the Google Cloud Console and you specify the app as a "Desktop app", Google still wants to see a client secret in the authorization request. However, specifying the app as "Universal Windows Platform (UWP)" -- even if the app has nothing to do with UWP -- opens the door for your app to omit the client secret and only send the client id. For example, this code successful authorizes a user
I believe this flow where the client secret is also now the recommendation for single-page apps.