Google and OAuth 2.0
asutherland at asutherland.org
Fri Apr 25 17:10:11 UTC 2014
On 04/25/2014 12:35 PM, Joshua Cranmer 🐧 wrote:
> Oh, and IIRC, OAuth requires you to provision a "secret" identifier
> for your application, which is rather hostile for open-source
> applications since checking it into our public repository is not
> likely to go over well. :-(
"The process results in a client ID and, in some cases, a client secret,
which you embed in the source code of your application. (In this
context, the client secret is obviously not treated as a secret.) "
The Firefox OS Gaia calendar app uses oauth2 for accessing google
calendar. You can find its code at
the secret it uses to talk to Google. Grep on 'oauth' for the good stuff.
> OAuth 2.0 makes some amount of sense if your application only cares
> about talking to Google's server. For a generic IMAP client, it is
> really hostile to your userbase. I find Google's attempt to make
> traditional authentication steps (even relatively secure SASL steps?)
> more difficult for users to use to be rather hostile to users and
I think this is unfair. A user's Google account is potentially a
gateway to a mountain of personal and private information and a
username/password is a fairly blunt instrument. While it's very
possible to make a case that Google's application-specific passwords
should support scoping so you can say "this password is just for gmail",
that's effectively what their oauth2 implementation accomplishes, and
with arguably better UX since it allows Google to be the entity
describing to the user what abilities they are granting to Thunderbird
if the user says yes.
(Not that Thunderbird wouldn't try and describe what it needs/wants very
accurately, but in an adversarial system, you can't trust things that
aren't Thunderbird to be honest about what they are going to get up to.
And they are indistinguishable from Thunderbird for our purposes here.)
More information about the tb-planning