Google and OAuth 2.0
ben.bucksch at beonex.com
Sat Apr 26 00:19:57 UTC 2014
Joshua Cranmer 🐧 wrote, On 25.04.2014 22:11:
> the page which Google uses to ask you for your username and password
> is effectively under the control of the application, so it can still
> be possible to intercept the password.
heh. That's a very nice point.
All that steems from the fact that OAuth was designed for websites: One
website wants access to webservices from another website. All the
choices - client secrets (kept by the server), entering the password on
the service site (protected by cross-origin barriers of the browser),
making it a webpage in the first place - make sense in that context.
Many of them make absolutely no sense in the context of desktop client
applications (e.g. Thunderbird) or even non-interactive processes (e.g.
More information about the tb-planning