Google and OAuth 2.0

Patrick Cloke clokep at gmail.com
Fri Apr 25 17:25:40 UTC 2014


On Fri, Apr 25, 2014 at 1:10 PM, Andrew Sutherland <
asutherland at asutherland.org> wrote:

> On 04/25/2014 12:35 PM, Joshua Cranmer 🐧 wrote:
>
>> Oh, and IIRC, OAuth requires you to provision a "secret" identifier for
>> your application, which is rather hostile for open-source applications
>> since checking it into our public repository is not likely to go over well.
>> :-(
>>
>
> From https://developers.google.com/accounts/docs/OAuth2#installed:
> "The process results in a client ID and, in some cases, a client secret,
> which you embed in the source code of your application. (In this context,
> the client secret is obviously not treated as a secret.) "
>
> The Firefox OS Gaia calendar app uses oauth2 for accessing google
> calendar.  You can find its code at
> https://github.com/mozilla-b2g/gaia/tree/master/apps/calendar including
> the secret it uses to talk to Google.  Grep on 'oauth' for the good stuff.


FWIW Thunderbird already includes OAuth2 code that is used (in order of
history):
- chat (for Twitter)
- FileLink (for a bunch of things?)
- Calendar (for Google Calendar)

I forget whether we save the oauth secret key in a preference or in the
account manager, but we store the consumer secret / key in prefs for
Twitter. (Instantbird and Thunderbird have different keys here.)

It'd be convenient in some way if we could only have to sign in once for
all these uses...but that's probably a pipe dream.

I guess I should go file a bug for implementing this on the chat side.

Do they have any plans to limit the number of users per consumer ID? Fallen
might know this.

--Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20140425/b7d22047/attachment.html>


More information about the tb-planning mailing list