noop_noob · Aug 26, 2019 · 6:54 AM UTC

noop_noob

noop_noob @noop_noob

26 Aug 2019

I'm told that OAuth client secrets don't have to be secret. Wut?

noop_noob · Aug 26, 2019 · 8:33 AM UTC

noop_noob @noop_noob

26 Aug 2019

"The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)" from developers.google.com/identi… I'm confused.

Aaron Parecki · Aug 26, 2019 · 9:31 PM UTC

Aaron Parecki · Aug 26, 2019 · 9:31 PM UTC

Aaron Parecki @aaronpk

26 Aug 2019

Replying to @noop_noob

Good find... that is a really confusing sentence. I'm going to try to track that down and see if they can remove it.

Aug 26, 2019 · 9:31 PM UTC

noop_noob · Aug 27, 2019 · 2:19 AM UTC

noop_noob @noop_noob

27 Aug 2019

Replying to @aaronpk

BTW, the reason I found this sentence is because the documentation for the "httr" R package linked to it cran.r-project.org/web/packa…

Aaron Parecki · Aug 27, 2019 · 3:46 AM UTC

Aaron Parecki @aaronpk

27 Aug 2019

oh wow yeah, I can see how that would be incredibly confusing. Well for the record, OAuth secrets are absolutely supposed to be secret, and we have different solutions for deployments that can't keep secrets.

more replies