can't you just rip the oauth client secret out of the code?