AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Xojo web browser7/31/2023 If a fake Thunderbird was started, then all has already been lost. The reason it is OK is that implicitly, when a person starts an application (such as Thunderbird), the identity of the application is known. One should still take care to shroud the client secret to some extent, but know that whatever is done cannot be deemed secure. Therefore, the client_secret, for desktop (installed) applications is not actually secret. An application can hide the secret, and can make it difficult to access, but in the end the secret cannot be assumed to be safe. that the key cannot be obtained by some hacker. It is essentially impossible for desktop applications to embed a secret key (such as the client secret) and assure confidentiality (i.e. But if you already started some rogue app, then all has already been lost. There can be no impersonation unless your computer has already been hacked and when you thought you started Thunderbird, you actually started some rogue app. You implicitly know the Thunderbird application is running because you started it. When you add a GMail account and need to authenticate for the 1st time, you'll get a popup window (a browser) where you interactively grant authorization to Thunderbird. Thunderbird uses OAuth2 authentication for GMail accounts in the same way as this OAuth2 API. It is an application installed on your computer. things that run on the local computer, not in a browser).Ĭonsider Mozilla Thunderbird. But the Chilkat OAuth2 class is for desktop applications and scripts (i.e. One does not want to be interacting with a site that claims to be "Application XYZ" but is actually an impersonator. For a web-based application (where the code is on the web server) and the user interacts with the application in a browser, then YES, the client secret MUST be kept secret at all times. See the ClientId property for more information. what identifies the application) consist of a client_id and client_secret. OAuth2 Xojo Plugin Reference Documentation OAuth2 Current Version: 9.5.0.94
0 Comments
Read More
Leave a Reply. |