Re: gmail+imap+smtp (oauth2)

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gmail+imap+smtp (oauth2)

From:	Tomas Hlavaty
Subject:	Re: gmail+imap+smtp (oauth2)
Date:	Fri, 06 May 2022 18:49:57 +0200

On Fri 06 May 2022 at 22:34, Tim Cross <theophilusx@gmail.com> wrote:
> Yes, that is a flaw. However, requiring the application ID to be kept
> secret is really the error - it isn't necessary and doesn't improve the
> security. From what I've read, it was never the intention of the
> designers of oauth that this value be kept secret.

the intention is mentioned on their website:

https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

   The client_id is a public identifier for apps. Even though it’s
   public, it’s best that it isn’t guessable by third parties, so many
   implementations use something like a 32-character hex string. If the
   client ID is guessable, it makes it slightly easier to craft phishing
   attacks against arbitrary applications.

people here think about it in terms of programs
but if you think about it in terms of services, this issue disappears
it looks like the authors of oauth2 had services in mind

[Prev in Thread]

Current Thread

[Next in Thread]

Re: gmail+imap+smtp (oauth2), (continued)

Prev by Date: load-history-filename-element
Next by Date: [PATCH] org-macs.el: Do not compare wall time and file modification time
Previous by thread: Re: gmail+imap+smtp (oauth2)
Next by thread: Re: gmail+imap+smtp (oauth2)
Index(es):
- Date
- Thread