Hi, Dave! Thanks for the encouragement and information. The application for my friend is a guest-book kiosk (1930s typewriter parlor-punk) written in LiveCode. The first phase simply generated uploadable files. The kiosk is on the local LAN behind a firewall and file access is by user name and password. The kiosk does have internet access. The second phase (about to be installed) uses a clear-text config file which does include my friend's Constant Contact user name and password. I'm not completely happy with that, but file access is password protected. It uses BASIC authentication to make contact changes. The application does not serve web pages. This application will probably have only one istallation and all actors are trusted, however, there is talk of franchises and the future. It seems a third phase is needed to implement OAuth 2.0. I see several possibilities, different directions: 1. I can work with my friend and create a bearer token "by hand" using a web browser or a web tool. That token can be put into the config file. Presumably that token can be canceled, if stolen. Perhaps there is a secure web page at Constant Contact that can aid in this--put in the API Key and client secret, and get back a bearer token and a user name. 2. I can add a web interface to the app which is used within the LAN for setup including the creation of the bearer token in a more traditional way. The token can be stored in a file encrypted using an application secret. This opens the opportunity (translation: I'm creating even more work for myself--this is all free for a firend) for editing configuration information through the web interface and it and the bearer token can be saved in an encrypted preference file. And (more work) a stat page and other information might be made available for my friend. In contrast with other methods, this requires the creation of a server either within the app or used by the app. 5. The app takes on all roles of resource owner, user agent and client. This would require following redirects and parsing the form at the Constant Contact authentication server. The config file is not influenced by this and would stay the same for now. My thoughts on how OAuth 2.0 might fit in with a simple application no doubt illustrate my ignorance of OAuth and confusion of how it might apply to my app. That should be interpreted as questions.
... View more