From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tomas Hlavaty Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Fri, 06 May 2022 18:49:57 +0200 Message-ID: <874k22r4ga.fsf@logand.com> References: <871qxbdulc.fsf@mat.ucm.es> <87k0b2tkg1.fsf@mat.ucm.es> <87zgjx4qhs.fsf@gmail.com> <87bkwcgmr3.fsf@mat.ucm.es> <87levfzqj2.fsf@yale.edu> <871qx7scvi.fsf@gmail.com> <87v8ujqec5.fsf@logand.com> <87ee172fjz.fsf@gmail.com> <87h762esku.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="8816"; mail-complaints-to="usenet@ciao.gmane.io" Cc: "Jorge A. Alfaro-Murillo" , emacs-devel@gnu.org To: Tim Cross , Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri May 06 18:53:40 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nn1D2-00024M-C6 for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 18:53:40 +0200 Original-Received: from localhost ([::1]:36466 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nn1D0-0008NM-WB for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 12:53:39 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:45176) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nn19X-0004mh-65 for emacs-devel@gnu.org; Fri, 06 May 2022 12:50:03 -0400 Original-Received: from logand.com ([37.48.87.44]:58466) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nn19V-0000eQ-5F for emacs-devel@gnu.org; Fri, 06 May 2022 12:50:02 -0400 Original-Received: by logand.com (Postfix, from userid 1001) id A76DA19FEBA; Fri, 6 May 2022 18:49:59 +0200 (CEST) X-Mailer: emacs 27.2 (via feedmail 11-beta-1 I) In-Reply-To: <87h762esku.fsf@gmail.com> Received-SPF: pass client-ip=37.48.87.44; envelope-from=tom@logand.com; helo=logand.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289330 Archived-At: On Fri 06 May 2022 at 22:34, Tim Cross wrote: > Yes, that is a flaw. However, requiring the application ID to be kept > secret is really the error - it isn't necessary and doesn't improve the > security. From what I've read, it was never the intention of the > designers of oauth that this value be kept secret. the intention is mentioned on their website: https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ The client_id is a public identifier for apps. Even though it=E2=80=99s public, it=E2=80=99s best that it isn=E2=80=99t guessable by third parti= es, so many implementations use something like a 32-character hex string. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications. people here think about it in terms of programs but if you think about it in terms of services, this issue disappears it looks like the authors of oauth2 had services in mind