

OAuth and Single Page JavaScript Web-Apps - Inversechi
http://alexbilbie.com/2014/11/oauth-and-javascript/

======
kiwidrew
I'm confused: what exactly is the problem here?

Google APIs are designed [1] to be accessed on behalf of a Google account
holder by client-side code without any server component being involved. The
client-side code does _not_ use client_secret, only client_id. There isn't any
secret key to steal from the code.

[1]
[https://developers.google.com/accounts/docs/OAuth2UserAgent](https://developers.google.com/accounts/docs/OAuth2UserAgent)

