OAuth Client Ids in packages?
Luke Faraone
lfaraone at ubuntu.com
Thu Dec 12 16:34:03 UTC 2013
On Wed, 2013-12-11 at 21:51 +0100, bjoern wrote:
> Hi,
>
> as LibreOffice (or rather libCMIS) grew itself the option to connect directly
> to GDrive in 4.2:
>
> https://wiki.documentfoundation.org/ReleaseNotes/4.2#GUI
>
> I wonder how that would need to be handled in packaging in the end: Access to
> the Google API requires a OAuth Client Id/Secret pair for the binary to be
> backed in. Obviously, the specific pair used cant be public otherwise it likely
> will be abused (and revoked).
Google states in its API documentation[1] that they do not expect
applications installed on user sites to be able to keep secrets from the
user, so I don't think it will be problematic for you.
Google themselves include some keys in their open source projects, see
[2] for example.
[1]:https://developers.google.com/accounts/docs/OAuth2InstalledApp
[2]:https://code.google.com/p/googlecl/source/browse/trunk/src/google.py#713
Cheers,
Luke Faraone
Maintainer of "googlecl" in Debian & Ubuntu Developer
More information about the ubuntu-devel
mailing list