On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:
You probably should not be exposing developer information for authentication. You need to get the authentication fixed. Users should login via user/pass.

I think you are referreing to the the fields client_id and client_secret in the config file.

As I understand it, if a service is using OAtuh2, it is exactly to allow its users to use third party apps without leaking the username and password. My app is registered as a desktop application, so it should be assumed that the client "secret" can't be really kept secret like in a web app.

Knowing the client secret allows you to produce API calls under my app name, but you still need to get a permission from the user to access their data.

Reply via email to