Loading Profile...
Consumer Secret in Open Source Software
Hi all,
We in G.ho.st are working on an open source project that also deals with open authentication techniques. I just returned from FOSDEM where I heard about OAuth and projects and developers that [plan to] use it. Naturally I was highly interested in learning OAuth.
Now that I did, I have a question: you say in http://oauth.net/about/ that OAuth is designed for open source software where there can be no secrets. How do you plan dealing with the problem where Consumer is an open source application so that Consumer Key / Secret cannot be kept in secret?
Regards
Anton Bar
http://G.ho.st... No walls
We in G.ho.st are working on an open source project that also deals with open authentication techniques. I just returned from FOSDEM where I heard about OAuth and projects and developers that [plan to] use it. Naturally I was highly interested in learning OAuth.
Now that I did, I have a question: you say in http://oauth.net/about/ that OAuth is designed for open source software where there can be no secrets. How do you plan dealing with the problem where Consumer is an open source application so that Consumer Key / Secret cannot be kept in secret?
Regards
Anton Bar
http://G.ho.st... No walls
1
person has this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
-
Inappropriate?OAuth does not say anything about how these keys should be secured. I think that is an open question.
But the only importance of consumer token and consumer secret is to sign the message while requesting a request token. This information will be used by server to tell the user that application "A" COULD BE requesting access to your data.
The user has to use his judgement to make sure that indeed he is using this application and it is in the process of requesting access. Only when the user has authorized the known application it can get an acess token which is used in future request to acesss data.
Also OAuth leaves open the issue of putting additional measures to ensure the authenticity of the messages like checking for ip address. Making sure same application is not requesting permission twice etc..
1 person says
this answers the question
