Google and OAuth 2.0

Ben Bucksch ben.bucksch at
Sat Apr 26 00:19:57 UTC 2014

Joshua Cranmer 🐧 wrote, On 25.04.2014 22:11:
> the page which Google uses to ask you for your username and password 
> is effectively under the control of the application, so it can still 
> be possible to intercept the password. 

heh. That's a very nice point.

All that steems from the fact that OAuth was designed for websites: One 
website wants access to webservices from another website. All the 
choices - client secrets (kept by the server), entering the password on 
the service site (protected by cross-origin barriers of the browser), 
making it a webpage in the first place - make sense in that context. 
Many of them make absolutely no sense in the context of desktop client 
applications (e.g. Thunderbird) or even non-interactive processes (e.g. 

More information about the tb-planning mailing list