OAuth Google API for Unregistered Applications
To make this work, when you sign your OAuth request Google will accept some default values for consumer key and secret – see their documentation on signing oauth requests. To do this, set both consumer key and secret to the value “anonymous”, and proceed as you normally would. The only difference so far as I can see is that the user will be shown a more cautious message when they are prompted to grant access to your application. Personally I think this is a great approach, particularly when prototyping ideas. Registering the applications though is simple and quick so I’d recommend registering for most applications once they get beyond concept stage.
As much as this approach might be useful for development purposes, I would not recommend that OAuth providers implement an anonymous client id and shared secret for their apps.
OAuth requires the resource owner to understand exactly what is happening at all stages of the process. Removing a vital identifier from this process introduces an unknown element into an already complex process. Therefore this is an anti-pattern in my opinion. I am disappointed that Google have chosen to implement this rather peculiar pattern.
I am aware you alluded to this at the end of the post, but felt the point was worth re-iterating.
Sam: Thanks for adding the comment, you make a point that I really skated over! I was surprised to see this “feature” in the google APIs, for all the reasons you mention.