Google's Oauth for Installed apps vs. Oauth for Web Apps
Posted
by burgerguy
on Stack Overflow
See other posts from Stack Overflow
or by burgerguy
Published on 2010-04-03T01:44:38Z
Indexed on
2010/04/03
1:53 UTC
Read the original article
Hit count: 399
So I'm having trouble understanding something...
If you do Oauth for Web Apps, you register your site with a callback URL and get a unique consumer secret key. But once you've obtained an Oauth for Web Apps token, you don't have to generate Oauth calls to the google server from your registered domain. I regularly use my key and token from scripts running via an apache server at localhost on my laptop and Google never says "you're not sending this request from the registered domain." It just sends me the data.
Now, as I understand it, if you do Oauth for Installed Apps, you use "anonymous" instead of a secret key you got from Google.
I've been thinking of just using the OAuth for Web Apps auth method, then passing that token to an installed app that has my secret code embedded in its innards. The worry is that the code could be discovered by bad people. But what's more secure... making them work for the secret code or letting them default to anonymous?
What really goes bad if the "secret" is discovered when the alternative is using "anonymous" as the secret?
© Stack Overflow or respective owner