Recently Google announced that they are supporting OAUth for Gmail IMAP/SMTP. I browsed through their multiple documentations, but still I am confused about if they support OAuth for installed applications.

1. In this documentation they say:

Note: Though the OAuth protocol supports the desktop/installed application use case, Google only supports OAuth for web applications.

But they also have a document for OAuth for installed applications.

2. When I read the OAuth specification pointed by them, it says (in section 11.7):

In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely available desktop application, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the Consumer Secret used to authenticate the Consumer to the Service Provider.

Also I think the disclaimer in point 1 above is about Google Data APIs, and surely IMAP/SMTP is not a part of them.

I understand that for installed applications I can have a setup like:

1. Have a small web-app at say example.com for my application. This web-app talks to Google gets the access token.

2. The installed application talks to example.com only to get the access token.

3. Installed application then talks to Google with the access token.

I am now confused. Is this the only way?