I can't think of a way to do phishing with oauth2, doesn't mean it can't be done somehow :)
Basically because you have to configure the redirect when you setup the client_secret the server will only ever send the browser to that redirect, a mismatch of requested redirect will just cause an error on Google Apps for example. Lets say this app has a redirect to localhost:1234/oauth set up during credentials creation on the oauth server. Then if you could get some malicious code to run at that host:port then you could get the access token that the oauth server would think it is sending to this app. So yes letting everyone know your client_secret is dodgy, but actually getting hacked because of it seems highly unlikely. On Wed, Sep 23, 2015 at 4:51 PM, Nick Sabalausky via Digitalmars-d-announce <digitalmars-d-announce@puremagic.com> wrote: > On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote: > >> Problem is right now anyone can make an app and pretend its your app, and >> then ... >> >> If the user gives your keys access to their stuff so does anyone else who >> has your keys, if they can get the oauth2 redirect to redirect to a >> matching url at least. >> >> > Isn't oauth/openid just kindof a big bundle of such phishing problems > anyway? > >