Google and OAuth 2.0

Andrew Sutherland asutherland at
Fri Apr 25 17:10:11 UTC 2014

On 04/25/2014 12:35 PM, Joshua Cranmer 🐧 wrote:
> Oh, and IIRC, OAuth requires you to provision a "secret" identifier 
> for your application, which is rather hostile for open-source 
> applications since checking it into our public repository is not 
> likely to go over well. :-(

"The process results in a client ID and, in some cases, a client secret, 
which you embed in the source code of your application. (In this 
context, the client secret is obviously not treated as a secret.) "

The Firefox OS Gaia calendar app uses oauth2 for accessing google 
calendar.  You can find its code at including 
the secret it uses to talk to Google.  Grep on 'oauth' for the good stuff.

> OAuth 2.0 makes some amount of sense if your application only cares 
> about talking to Google's server. For a generic IMAP client, it is 
> really hostile to your userbase. I find Google's attempt to make 
> traditional authentication steps (even relatively secure SASL steps?) 
> more difficult for users to use to be rather hostile to users and 
> clients.

I think this is unfair.  A user's Google account is potentially a 
gateway to a mountain of personal and private information and a 
username/password is a fairly blunt instrument.  While it's very 
possible to make a case that Google's application-specific passwords 
should support scoping so you can say "this password is just for gmail", 
that's effectively what their oauth2 implementation accomplishes, and 
with arguably better UX since it allows Google to be the entity 
describing to the user what abilities they are granting to Thunderbird 
if the user says yes.

(Not that Thunderbird wouldn't try and describe what it needs/wants very 
accurately, but in an adversarial system, you can't trust things that 
aren't Thunderbird to be honest about what they are going to get up to.  
And they are indistinguishable from Thunderbird for our purposes here.)


More information about the tb-planning mailing list