Google's Oauth for Installed apps vs. Oauth for Web Apps

Question

So I'm having trouble understanding something...

If you do Oauth for Web Apps, you register your site with a callback URL and get a unique consumer secret key. But once you've obtained an Oauth for Web Apps token, you don't have to generate Oauth calls to the google server from your registered domain. I regularly use my key and token from scripts running via an apache server at localhost on my laptop and Google never says "you're not sending this request from the registered domain." It just sends me the data.

Now, as I understand it, if you do Oauth for Installed Apps, you use "anonymous" instead of a secret key you got from Google.

I've been thinking of just using the OAuth for Web Apps auth method, then passing that token to an installed app that has my secret code embedded in its innards. The worry is that the code could be discovered by bad people. But what's more secure... making them work for the secret code or letting them default to anonymous?

What really goes bad if the "secret" is discovered when the alternative is using "anonymous" as the secret?

Answer 1

The only thing you need to identify yourself when doing an OAuth call is the signature which is a HMAC-SHA1 string signed with your consumer secret. There's no relation with any domain whatsoever.

The only thing you need to keep reasonably safe is the consumer secret. I don't quite get what you mean by "anonymous" though...

Answer 2

The main difference between OAuth for Web Apps and OAuth for Installed Apps (e.g. "anonymous"/"anonymous" as your consumer key/secret), is the approval page.

For installed apps, there is no way for Google to verify the identity of the application so a yellow warning box is shown to the user saying so.

For web apps, there's an actual URL (of the app) that can be verified. Hence, no ugly warning box is presented to the user.