@xuedi You mean Frapp? Right, if you have a developer account that's where you need to drop your Client ID. :) I'm not yet convinced that publishing my own Client ID is "safe" as far as open source projects are concerned. Let me know if I can help further!
@berg I understand it doesn't grant access to my dev acct, more troubling is e.g. spammer builds an Android app using my client ID, deploys it on the Play store. Lots of people download it. The spammer hits ADN with a bunch of crap from all those clients.
@oj @dalton @cortex looks like github uses *end user* username + password and HTTP Basic auth to generate tokens rather than some semi-secret ID embedded in the client. Much saner IMO :) http://developer.github.com/v3/oauth/#non-web-application-flow
@cortex which I wouldn't necessarily care about, but if they were doing dodgey things with their client using my client_id (spam, fraud, whatever), I obviously don't want it being associated with my apps -- or worse, my ADN account.
@oj not sure if you've seen the auth docs, but see https://github.com/appdotnet/api-spec/blob/master/auth.md - see the Client-side Flow. Suggests you embed the client_id but keep the client_secret private. But you only need the client_id to get a token? :S
@cdn :) you mean directly using an access token? Yeah, leaving the rubbish associated with acquiring an access token to apps built on top of it. Hopefully it's kinda-sorta obvious how that should work (but let me know if I can clarify)