I think this should be on reddit either way. Perhaps someone will suggest a
way around the oauth2 limitation.
Having to generate new client secrets just to use an app that already
exists seems like a mission, so providing a default set that work and the
user can just make sure they get the original app seems more practical.
i.e. download binary from a reputable place i.e. your distributions repos.

Also you are doing the same way everyone else does it; by prompting at the
command line sooo....

On Wed, Sep 23, 2015 at 2:38 PM, Rory McGuire <rjmcgu...@gmail.com> wrote:

> Problem is right now anyone can make an app and pretend its your app, and
> then ...
> If the user gives your keys access to their stuff so does anyone else who
> has your keys, if they can get the oauth2 redirect to redirect to a
> matching url at least.
> On Wed, Sep 23, 2015 at 10:38 AM, skilion via Digitalmars-d-announce <
> digitalmars-d-announce@puremagic.com> wrote:
>> On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:
>>> You probably should not be exposing developer information for
>>> authentication.
>>> You need to get the authentication fixed. Users should login via
>>> user/pass.
>> I think you are referreing to the the fields client_id and client_secret
>> in the config file.
>> As I understand it, if a service is using OAtuh2, it is exactly to allow
>> its users to use third party apps without leaking the username and
>> password. My app is registered as a desktop application, so it should be
>> assumed that the client "secret" can't be really kept secret like in a web
>> app.
>> Knowing the client secret allows you to produce API calls under my app
>> name, but you still need to get a permission from the user to access their
>> data.

Reply via email to