I think this should be on reddit either way. Perhaps someone will suggest a way around the oauth2 limitation.

Having to generate new client secrets just to use an app that already exists seems like a mission, so providing a default set that work and the user can just make sure they get the original app seems more practical. i.e. download binary from a reputable place i.e. your distributions repos.

Also you are doing the same way everyone else does it; by prompting at the command line sooo....

On Wed, Sep 23, 2015 at 2:38 PM, Rory McGuire <rjmcguire@gmail.com> wrote:

Problem is right now anyone can make an app and pretend its your app, and then ...

If the user gives your keys access to their stuff so does anyone else who has your keys, if they can get the oauth2 redirect to redirect to a matching url at least.

On Wed, Sep 23, 2015 at 10:38 AM, skilion via Digitalmars-d-announce <digitalmars-d-announce@puremagic.com> wrote:
On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:

You probably should not be exposing developer information for authentication.
You need to get the authentication fixed. Users should login via user/pass.

I think you are referreing to the the fields client_id and client_secret in the config file.

As I understand it, if a service is using OAtuh2, it is exactly to allow its users to use third party apps without leaking the username and password. My app is registered as a desktop application, so it should be assumed that the client "secret" can't be really kept secret like in a web app.

Knowing the client secret allows you to produce API calls under my app name, but you still need to get a permission from the user to access their data.