Gmail IMAP OAuth for desktop clients

Recently Google announced that they are supporting OAUth for Gmail IMAP/SMTP. I browsed through their multiple documentations, but still I am confused about if they support OAuth for installed applications.

1. In this documentation they say:

Note: Though the OAuth protocol supports the desktop/installed application use case, Google only supports OAuth for web applications.

But they also have a document for OAuth for installed applications.

2. When I read the OAuth specification pointed by them, it says (in section 11.7):

In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely available desktop application, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the Consumer Secret used to authenticate the Consumer to the Service Provider.

Also I think the disclaimer in point 1 above is about Google Data APIs, and surely IMAP/SMTP is not a part of them.

I understand that 开发者_运维百科for installed applications I can have a setup like:

1. Have a small web-app at say example.com for my application. This web-app talks to Google gets the access token.

2. The installed application talks to example.com only to get the access token.

3. Installed application then talks to Google with the access token.

I am now confused. Is this the only way? Also, if I do OAuth from desktop application we have to ship the Consumer Secret key with the app. Then, we can't maintain secrecy of the consumer key.

Yes, Oauth is supported for installed applications; see Gmail IMAP and SMTP using OAuth documentation.

1. Documentation is simply outdated (2008)
2. It makes sense but just for application that does not store access token in a safe way.

Your setup is good although i don't think having a web-app that talks with google is mandatory; for example your users could just copy and paste "request token" to your desktop client application.