On Mon, Jan 18, 2021 at 3:55 PM Nicol=C3=A1s Alvarez
<nicolas.alvarez@gmail.com> wrote:
>
>
> Protecting an API key on a locally-running application is impossible even=
 for a closed source app. It's equivalent to the impossible task DRM intend=
s to achieve (hiding the content decryption key from the user while decrypt=
ing content on their computer). If you give the application to the user, as=
 opposed to running everything in a server, the key *will* be publicly avai=
lable.
>
> https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gm=
ailpasswordrequester.cpp#0016
>
> --
> Nicolas

It's in fact so impossible that oAuth experts are advocating a number
of extra keys (such as proof key for code exchange and application
state) to be given in oAuth flow. Stuff like IndieAuth even does away
with the 'client secret' (an oAuth api key), because it just makes no
sense in projects with public code.

I was looking into this a while back, oAuth wise, neither the o2 qt
library for oAuth supports the proof key (pkce) nor does the oAuth
plugin for SSO (which kaccounts uses), and then I ran out of time to
look into this.

--=20
Wolthera