nmh-workers
[Top] [All Lists]

Re: [Nmh-workers] XOAUTH2 integration, and a few questions

2016-07-08 02:56:27
Ken Hornstein <kenh(_at_)pobox(_dot_)com> writes:

Yes.  Refresh tokens, unlike access tokens, are long-lived.
However, either may stop working at any time, for any unspecified
reasons.

Thanks for the info!

One thing that jogs my memory; you said before you had created a nmh
project to register the client key and secret for nmh, and that we should
resolve the ownership of that.  I think we should get other developers
involved on that project, just in case something happens to you.

David Levine is a co-owner of the Google developer project.
Either of us can add other owners.  Apparently, you have to use a
Gmail account, not just any Google account.

Also, I do have a question about that ... obviously our client "secret"
isn't really secret, since it's embedded in our source code which is
available for download.  Is that to identify apps so users have more

Yep:

https://tools.ietf.org/html/rfc6749#section-2.1

fine-grained permission control?  Do other open-source applications
just embed the secret in their source code?  I guess that means other
applications could take our secret and pretend to be nmh; I'm not sure
that's a problem, but I just wanted to understand it.

Nothing can stop anyone else from using the client-id.  It serves
no security purpose in this scenario.

Thanks.

_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers

<Prev in Thread] Current Thread [Next in Thread>