Don’t use a built-in webview for authentication
For the authentication workflow it seems Giara is using a built-in Webview. This is against RFC 8252 - OAuth2.0 for Native Apps from the IETF.
The recommended workflow is to use the default browser of the system, and register your app on a custom scheme to retrieve the authorization code. This is done in the desktop file. You can see an example in Social’s desktop file, although the string is supposed to be unique (so in your case it should be MimeType=x-scheme-handler/orggabmusgiaradesktop;
)
This allows your app to not be aware of the users’s credential at any time (which is one of the points of OAuth2), and it allows the user to only allow your app without having to type-in their credentials if they were only connected in their browser.
Feel free to ask if you want help with the general authentication workflow :)