On Mon, Jan 18, 2021 at 3:55 PM Nicolás Alvarez <nicolas.alva...@gmail.com> wrote: > > > Protecting an API key on a locally-running application is impossible even for > a closed source app. It's equivalent to the impossible task DRM intends to > achieve (hiding the content decryption key from the user while decrypting > content on their computer). If you give the application to the user, as > opposed to running everything in a server, the key *will* be publicly > available. > > https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016 > > -- > Nicolas
It's in fact so impossible that oAuth experts are advocating a number of extra keys (such as proof key for code exchange and application state) to be given in oAuth flow. Stuff like IndieAuth even does away with the 'client secret' (an oAuth api key), because it just makes no sense in projects with public code. I was looking into this a while back, oAuth wise, neither the o2 qt library for oAuth supports the proof key (pkce) nor does the oAuth plugin for SSO (which kaccounts uses), and then I ran out of time to look into this. -- Wolthera
