So it's hard for me to understand something ...
If you use Oauth for web applications, you register your site with a callback URL and get a unique secret secret key. But once you have received the Oauth token for web applications, you do not need to generate Oauth calls to the google server from the registered domain. I regularly use my key and token from scripts running on the apache server on localhost on my laptop, and Google never says "you are not sending this request from the registered domain." He just sends me the data.
Now, as I understand it, if you use Oauth for installed applications, you use "anonymous" instead of the secret key that you received from Google.
I thought about just using the OAuth auth method for Web Apps, and then passed this token to the installed application, in which my secret code is embedded in its internals. The concern is that code can be detected by bad people. But what is safer ... making them work on secret code or letting them default anonymously?
What is really bad if a “secret” is discovered when an alternative uses “anonymous” as secrecy?
Yiddishninja
source share