views:

265

answers:

1

Recently Google announced that they are supporting OAUth for Gmail IMAP/SMTP. I browsed through their multiple documentations, but still I am confused about if they support OAuth for installed applications.

1. In this documentation they say:

Note: Though the OAuth protocol supports the desktop/installed application use case, Google only supports OAuth for web applications.

But they also have a document for OAuth for installed applications.

2. When I read the OAuth specification pointed by them, it says (in section 11.7):

In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely available desktop application, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the Consumer Secret used to authenticate the Consumer to the Service Provider.

Also I think the disclaimer in point 1 above is about Google Data APIs, and surely IMAP/SMTP is not a part of them.

I understand that for installed applications I can have a setup like:

  1. Have a small web-app at say example.com for my application. This web-app talks to Google gets the access token.

  2. The installed application talks to example.com only to get the access token.

  3. Installed application then talks to Google with the access token.

I am now confused. Is this the only way? Also, if I do OAuth from desktop application we have to ship the Consumer Secret key with the app. Then, we can't maintain secrecy of the consumer key.

+2  A: 

Yes, Oauth is supported for installed applications; see Gmail IMAP and SMTP using OAuth documentation.

  1. Documentation is simply outdated (2008)
  2. It makes sense but just for application that does not store access token in a safe way.

Your setup is good although i don't think having a web-app that talks with google is mandatory; for example your users could just copy and paste "request token" to your desktop client application.

systempuntoout
Still the desktop client should be shipped with the Consumer Secret. Isn't it?
Sabya
What do you mean?
systempuntoout
Clarified in the question.
Sabya
"Access token" is one per user, it's like a secret password (that you need to store with all the security measures of the case) that your app should use to retrieve a specific user's data from google.So i don't think you desktop client could ship a "Consumer Secret".
systempuntoout
I was talking about this: http://oauth.net/core/1.0/#anchor40
Sabya
Makes sense, but just if you store a consumer token to access consumer data on the cloud.
systempuntoout