On Thu, May 28, 2009 at 3:42 PM, jr conlin <jrcon...@gmail.com> wrote: > > Nathan Beach wrote: >> Google has enhanced our OAuth approval flow to significantly improve >> the user experience for installed applications that use OAuth to >> access our GData APIs. > Perhaps I'm missing something, but doesn't this kinda saw one of the > legs off of OAuth?
Not really, no. There is no practical way to keep consumer keys secret for installed applications, nor is there any means to revoke a consumer secret if it leaks. Requiring registration for such apps just annoys developers without improving security. > We may be the off case, but we're actually kind of interested in using > the two legged approach so that we can validate developers and grant > some customers adjusted rates. That makes sense only if your developers are writing code for environments that can keep secrets. Installing a consumer secret on a server somewhere makes sense and can support the billing requirements you mention. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
