Recently Google announced that they are supporting OAUth for Gmail IMAP/SMTP. I browsed through their multiple documentations, but still I am confused about if they support OAuth for installed applications.
1. In this documentation they say:
Note: Though the OAuth protocol supports the desktop/installed application use case, Google only supports OAuth for web applications.
But they also have a document for OAuth for installed applications.
2. When I read the OAuth specification pointed by them, it says (in section 11.7):
In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely available desktop application, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the Consumer Secret used to authenticate the Consumer to the Service Provider.
Also I think the disclaimer in point 1 above is about Google Data APIs, and surely IMAP/SMTP is not a part of them.
I understand that for installed applications I can have a setup like:
Have a small web-app at say example.com for my application. This web-app talks to Google gets the access token.
The installed application talks to example.com only to get the access token.
Installed application then talks to Google with the access token.
I am now confused. Is this the only way? Also, if I do OAuth from desktop application we have to ship the Consumer Secret key with the app. Then, we can't maintain secrecy of the consumer key.