[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gmail+imap+smtp (oauth2)
From: |
Tomas Hlavaty |
Subject: |
Re: gmail+imap+smtp (oauth2) |
Date: |
Fri, 06 May 2022 18:49:57 +0200 |
On Fri 06 May 2022 at 22:34, Tim Cross <theophilusx@gmail.com> wrote:
> Yes, that is a flaw. However, requiring the application ID to be kept
> secret is really the error - it isn't necessary and doesn't improve the
> security. From what I've read, it was never the intention of the
> designers of oauth that this value be kept secret.
the intention is mentioned on their website:
https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/
The client_id is a public identifier for apps. Even though it’s
public, it’s best that it isn’t guessable by third parties, so many
implementations use something like a 32-character hex string. If the
client ID is guessable, it makes it slightly easier to craft phishing
attacks against arbitrary applications.
people here think about it in terms of programs
but if you think about it in terms of services, this issue disappears
it looks like the authors of oauth2 had services in mind
- Re: gmail+imap+smtp (oauth2), (continued)
- Re: gmail+imap+smtp (oauth2), Stefan Monnier, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/11
- gmail+imap+smtp (davmail), Richard Stallman, 2022/05/11
- Re: gmail+imap+smtp (davmail), Eric S Fraga, 2022/05/11
- Re: gmail+imap+smtp (davmail), Richard Stallman, 2022/05/13
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Eric S Fraga, 2022/05/06
- Re: gmail+imap+smtp (oauth2), tomas, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2),
Tomas Hlavaty <=
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Stefan Monnier, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/08
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/08
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/10
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/11
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/11