show-authorized-user: display OAuth client ID and source (#1116)

* feat: show OAuth client details in show-authorized-user

Extend show-authorized-user output to include the active OAuth client ID
and classify it as google-provided or user-provided for quick visibility.

Centralize default OAuth client constants so auth creation, legacy credential
loading, and command-level classification stay aligned over time.

* docs: document show-authorized-user client output

Add show-authorized-user to the command list and reference section in README.
Document the new client ID and clientType output, including json behavior.
Keep command docs aligned with the implemented authorization status output.

Author: TheCrazyLex

README.md

@@ -116,6 +116,7 @@ clasp
 
 - [`clasp login [--no-localhost] [--creds <file>] [--redirect-port]`](#login)
 - [`clasp logout`](#logout)
+- [`clasp show-authorized-user [--json]`](#show-authorized-user)
 - [`clasp create-script [--title <title>] [--type <type>] [--rootDir <dir>] [--parentId <id>]`](#create)
 - [`clasp clone-script <scriptId | scriptURL> [versionNumber] [--rootDir <dir>]`](#clone)
 - [`clasp delete-script [--force]`](#delete)
@@ -381,6 +382,21 @@ Logs out the user by deleting client credentials.
 
 - `clasp logout`
 
+### Show Authorized User
+
+Shows the current authorization status. When logged in, the output includes
+the OAuth client ID and whether the client is `google-provided` (clasp default)
+or `user-provided` (custom credentials).
+
+#### Options
+
+- `--json`: Output authorization details as JSON, including `clientId` and `clientType`.
+
+#### Examples
+
+- `clasp show-authorized-user`
+- `clasp show-authorized-user --json`
+
 ### Create
 
 Creates a new script project. Prompts the user for the script type if not specified.

src/auth/auth.ts

@@ -25,6 +25,7 @@ import {AuthorizationCodeFlow} from './auth_code_flow.js';
 import {CredentialStore} from './credential_store.js';
 import {FileCredentialStore} from './file_credential_store.js';
 import {LocalServerAuthorizationCodeFlow} from './localhost_auth_code_flow.js';
+import {DEFAULT_CLASP_OAUTH_CLIENT_ID, DEFAULT_CLASP_OAUTH_CLIENT_SECRET} from './oauth_client.js';
 import {ServerlessAuthorizationCodeFlow} from './serverless_auth_code_flow.js';
 
 const debug = Debug('clasp:auth');
@@ -266,8 +267,8 @@ function createOauthClient(clientSecretPath: string) {
 function createDefaultOAuthClient() {
   // Default client
   const client = new OAuth2Client({
-    clientId: '1072944905499-vm2v2i5dvn0a0d2o4ca36i1vge8cvbn0.apps.googleusercontent.com',
-    clientSecret: 'v6V3fKV_zWU7iw1DrpO1rknX',
+    clientId: DEFAULT_CLASP_OAUTH_CLIENT_ID,
+    clientSecret: DEFAULT_CLASP_OAUTH_CLIENT_SECRET,
     redirectUri: 'http://localhost',
   });
   debug('Created built-in oauth client, id: %s', client._clientId);

src/auth/file_credential_store.ts

@@ -18,6 +18,7 @@
 
 import fs from 'fs';
 import {CredentialStore, StoredCredential} from './credential_store.js';
+import {DEFAULT_CLASP_OAUTH_CLIENT_ID, DEFAULT_CLASP_OAUTH_CLIENT_SECRET} from './oauth_client.js';
 
 // Initial .clasprc.json format, single credential per file
 type V1LocalFileFormat = {
@@ -163,8 +164,8 @@ export class FileCredentialStore implements CredentialStore {
         refresh_token: store.refresh_token,
         expiry_date: store.exprity_date,
         token_type: store.token_type,
-        client_id: '1072944905499-vm2v2i5dvn0a0d2o4ca36i1vge8cvbn0.apps.googleusercontent.com',
-        client_secret: 'v6V3fKV_zWU7iw1DrpO1rknX',
+        client_id: DEFAULT_CLASP_OAUTH_CLIENT_ID,
+        client_secret: DEFAULT_CLASP_OAUTH_CLIENT_SECRET,
       };
     }
     return null;

src/auth/oauth_client.ts

@@ -0,0 +1,28 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Shared constants and helpers for identifying clasp OAuth clients.
+
+export const DEFAULT_CLASP_OAUTH_CLIENT_ID =
+  '1072944905499-vm2v2i5dvn0a0d2o4ca36i1vge8cvbn0.apps.googleusercontent.com';
+export const DEFAULT_CLASP_OAUTH_CLIENT_SECRET = 'v6V3fKV_zWU7iw1DrpO1rknX';
+
+export type OAuthClientType = 'google-provided' | 'user-provided';
+
+export function getOAuthClientType(clientId?: string): OAuthClientType | undefined {
+  if (!clientId) {
+    return undefined;
+  }
+  return clientId === DEFAULT_CLASP_OAUTH_CLIENT_ID ? 'google-provided' : 'user-provided';
+}

src/commands/show-authorized-user.ts

@@ -16,6 +16,7 @@
 
 import {Command} from 'commander';
 import {AuthInfo, getUserInfo} from '../auth/auth.js';
+import {getOAuthClientType} from '../auth/oauth_client.js';
 import {intl} from '../intl.js';
 import {GlobalOptions} from './utils.js';
 
@@ -33,10 +34,15 @@ export const command = new Command('show-authorized-user')
       user = await getUserInfo(auth.credentials);
     }
 
+    const clientId = auth.credentials?._clientId;
+    const clientType = getOAuthClientType(clientId);
+
     if (options.json) {
       const output = {
         loggedIn: auth.credentials ? true : false,
         email: user?.email ?? undefined,
+        clientId: clientId ?? undefined,
+        clientType: clientType ?? undefined,
       };
       console.log(JSON.stringify(output, null, 2));
       return;
@@ -61,4 +67,14 @@ export const command = new Command('show-authorized-user')
       },
     );
     console.log(msg);
+    const clientMsg = intl.formatMessage(
+      {
+        defaultMessage: 'OAuth client ID: {clientId} ({clientType}).',
+      },
+      {
+        clientId: clientId ?? 'unknown',
+        clientType: clientType ?? 'unknown',
+      },
+    );
+    console.log(clientMsg);
   });

test/commands/show-authorized-user.ts

@@ -20,6 +20,7 @@ import {fileURLToPath} from 'url';
 import {expect} from 'chai';
 import {afterEach, beforeEach, describe, it} from 'mocha';
 import mockfs from 'mock-fs';
+import {DEFAULT_CLASP_OAUTH_CLIENT_ID} from '../../src/auth/oauth_client.js';
 import {useChaiExtensions} from '../helpers.js';
 import {mockOAuthRefreshRequest, resetMocks, setupMocks} from '../mocks.js';
 import {runCommand} from './utils.js';
@@ -53,6 +54,31 @@ describe('Show authorized user command', function () {
       const out = await runCommand(['show-authorized-user', '--json']);
       const json = JSON.parse(out.stdout);
       expect(json.loggedIn).to.be.true;
+      expect(json.clientId).to.equal(DEFAULT_CLASP_OAUTH_CLIENT_ID);
+      expect(json.clientType).to.equal('google-provided');
+    });
+
+    it('should show the oauth client id in text output', async function () {
+      const out = await runCommand(['show-authorized-user']);
+      expect(out.stdout).to.contain(`OAuth client ID: ${DEFAULT_CLASP_OAUTH_CLIENT_ID} (google-provided).`);
+    });
+  });
+
+  describe('With project, authenticated with user-provided client', function () {
+    beforeEach(function () {
+      mockfs({
+        '.clasp.json': mockfs.load(path.resolve(__dirname, '../fixtures/dot-clasp-no-settings.json')),
+        [path.resolve(os.homedir(), '.clasprc.json')]: mockfs.load(
+          path.resolve(__dirname, '../fixtures/dot-clasprc-authenticated-custom-client.json'),
+        ),
+      });
+    });
+
+    it('should classify the oauth client as user-provided', async function () {
+      const out = await runCommand(['show-authorized-user', '--json']);
+      const json = JSON.parse(out.stdout);
+      expect(json.loggedIn).to.be.true;
+      expect(json.clientType).to.equal('user-provided');
     });
   });
 });

test/fixtures/dot-clasprc-authenticated-custom-client.json

@@ -0,0 +1,14 @@
+{
+  "tokens": {
+    "default": {
+      "client_id": "123456789000-custom.apps.googleusercontent.com",
+      "client_secret": "mock-secret",
+      "type": "authorized_user",
+      "refresh_token": "mock-refresh-token",
+      "access_token": "mock-access-token",
+      "token_type": "Bearer",
+      "expiry_date": 1737951765115,
+      "id_token": "mock-id-token"
+    }
+  }
+}