OAuth2 Client Credentials

Hi, I’m currently working on a Go Client as part of a course on software design. I’m planning on adding support for OGS, but I have a few questions regarding the OAuth2 authentication.

I saw this post by @matburt in OAuth2 best practice:

I was wondering if this information is still accurate? Specifically, is there still no option other than to distribute the client id and secret with my binary?

Also, I’ve noticed that the following section of the api documentation doesn’t seem to be accurate:

It seems that you actually need to send the user’s OGS password and there is no way to generate application-specific passwords. Is this correct or am I missing something? If I am correct, how do you get an OAuth2 token for a user who registered using their Google account, or is that not possible?

Any help would be greatly appreciated, and thanks in advance.

Let me ping @anoek he is probably the only one who can help you. Or maybe @mlopezviedma?

1 Like

Sorry about bumping my own thread here, but I would really appreciate some help on this issue, I realize that @anoek or @matburt probably have a lot on their hands, so I’m not looking for an in-depth answer: just a simple “Yes, that’s still accurate” or “No, you have to find another solution” would be sufficient.

Again, thanks in advance for any help.


The first section is indeed still accurate.

The Application specific password is not, you will need to take the user’s actual password and send it along with the initial request. Do not store that, instead just store the token you get back… it also comes with a re-auth token that you can use on expiry of the main token or if you need to regenerate a token.

Other than that you are fine. Do keep us posted on things while building the app and let us know if we can be of any help.