Thursday, 12 December 2013

Re: OAuth Client Ids in packages?

On Wed, 2013-12-11 at 21:51 +0100, bjoern wrote:
> Hi,
>
> as LibreOffice (or rather libCMIS) grew itself the option to connect directly
> to GDrive in 4.2:
>
> https://wiki.documentfoundation.org/ReleaseNotes/4.2#GUI
>
> I wonder how that would need to be handled in packaging in the end: Access to
> the Google API requires a OAuth Client Id/Secret pair for the binary to be
> backed in. Obviously, the specific pair used cant be public otherwise it likely
> will be abused (and revoked).

Google states in its API documentation[1] that they do not expect
applications installed on user sites to be able to keep secrets from the
user, so I don't think it will be problematic for you.

Google themselves include some keys in their open source projects, see
[2] for example.

[1]:https://developers.google.com/accounts/docs/OAuth2InstalledApp
[2]:https://code.google.com/p/googlecl/source/browse/trunk/src/google.py#713

Cheers,

Luke Faraone
Maintainer of "googlecl" in Debian & Ubuntu Developer

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel