Re: gmail+imap+smtp (oauth2)

[Tim Cross]

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> Problem is, Google T&C require that the application ID is kept secret.
>> For open source, this is a problem because we cannot add the applicaiton
>> ID and keep it secret while making the code open source.
>
> FWIW, it's also a problem for proprietary applications since the secret
> will necessarily be somewhere inside the executable as well.  It's a bit
> harder to find, and can be obfuscated to some extent, but as long as you
> can run the code inside a debugger and you have enough time on your
> hands to reverse engineer the workings of that part of the code you can
> also extract the application ID.
>

Yes, that is a flaw. However, requiring the application ID to be kept
secret is really the error - it isn't necessary and doesn't improve the
security. From what I've read, it was never the intention of the
designers of oauth that this value be kept secret. It really exists
mainly as an auditing/debugging/troublshooting aid, not part of the
authn/authz process. 

I think this is why some people are trying to get clarification from
Google as it is likely their reference to what must be kept secret only
includes the applicaiton ID by error/oversight. (I was told this
confusion originally occured because of ambiguity in the original oauth
documentation, which has subsequently been fixed/clarified). Problem is,
most users cannot get past the lower level helpdesk staff or get their
issue in front of someone who can actually look at it and do something
and even if you could, getting them to care enough to do something is
unlikely - the percentage of users impacted is likley just too small
compared to other issues they are also dealing with.