OAuth Google API for Unregistered Applications

It is pretty common when using OAuth for there to be a relationship between the provider and consumer; as a consumer you usually register with the provider to obtain a consumer key and consumer secret. Google’s APIs however do not require this. It is recommended that you register your application, however it is also possible to use OAuth without registering.

To make this work, when you sign your OAuth request Google will accept some default values for consumer key and secret – see their documentation on signing oauth requests. To do this, set both consumer key and secret to the value “anonymous”, and proceed as you normally would. The only difference so far as I can see is that the user will be shown a more cautious message when they are prompted to grant access to your application. Personally I think this is a great approach, particularly when prototyping ideas. Registering the applications though is simple and quick so I’d recommend registering for most applications once they get beyond concept stage.

2 thoughts on “OAuth Google API for Unregistered Applications

  1. As much as this approach might be useful for development purposes, I would not recommend that OAuth providers implement an anonymous client id and shared secret for their apps.

    OAuth requires the resource owner to understand exactly what is happening at all stages of the process. Removing a vital identifier from this process introduces an unknown element into an already complex process. Therefore this is an anti-pattern in my opinion. I am disappointed that Google have chosen to implement this rather peculiar pattern.

    I am aware you alluded to this at the end of the post, but felt the point was worth re-iterating.

  2. Sam: Thanks for adding the comment, you make a point that I really skated over! I was surprised to see this “feature” in the google APIs, for all the reasons you mention.

Leave a Reply

Please use [code] and [/code] around any source code you wish to share.

This site uses Akismet to reduce spam. Learn how your comment data is processed.