Rekindling an old thread. Are we going to support this in next IS release?

On Thu, Apr 17, 2014 at 8:26 PM, Kasun Dananjaya Delgolla <[email protected]>
wrote:

> +1. I think this is the ideal way of doing that.
>
>
> On Thu, Apr 17, 2014 at 5:57 PM, Gayan Gunawardana <[email protected]> wrote:
>
>> Hi,
>>
>> +1 for dynamic client generation.
>>
>> This is what we have discussed in several meetings.
>>
>> If time permit I can have a look at the spec and do the implementation.
>> This will be an ideal solution for most of security holes.
>>
>>
>>
>> On Thu, Apr 17, 2014 at 5:41 PM, Suresh Attanayaka <[email protected]>
>> wrote:
>>
>>> Hi,
>>>
>>> We can use Dynamic Client Registration[1] to get a ClientKey and a
>>> ClientSecrete. The advantage here is that different instances of the same
>>> application will have different ClientKey and ClientSecrete. With this we
>>> can identify each installation.
>>>
>>> Dynamic Client Registration has a registration endpoint which requires
>>> an initial token. The initial token can be obtained using basic
>>> authentication, then the client can use that initial token to register
>>> itself at the EMM and get the ClientKey + ClientSecrete.
>>>
>>> Once the client has received the ClientKey and ClientSecrete, it should
>>> store it securely.
>>>
>>> [1]- http://openid.net/specs/openid-connect-registration-1_0.html
>>>
>>>
>>>
>>>
>>> On Thu, Apr 17, 2014 at 2:52 PM, Harshan Liyanage <[email protected]>
>>> wrote:
>>>
>>>> I think we could use a technique like "*Image Steganography[[1]*" to
>>>> store consumer key/secret inside the application so it would be difficult
>>>> to hack. For the image we can use something like application logo so it
>>>> won't get much attention. On the otherhand we could modify the
>>>> steganography algorithm and make it much more secure.
>>>>
>>>> [1]. http://en.wikipedia.org/wiki/Steganography
>>>>
>>>> Best Regards,
>>>>
>>>> Lakshitha Harshan
>>>> Software Engineer
>>>> Mobile: *+94724423048*
>>>> Email: [email protected]
>>>> Blog : http://harshanliyanage.blogspot.com/
>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>*
>>>> lean.enterprise.middleware.
>>>>
>>>>
>>>> On Thu, Apr 17, 2014 at 2:21 PM, Chathura Dilan <[email protected]>
>>>> wrote:
>>>>
>>>>> if it is unique to the app, there could be another security issue.
>>>>> Someone can get our source and authenticate himself with his app, and they
>>>>> are able to download the key from the server.
>>>>>
>>>>>
>>>>> On Thu, Apr 17, 2014 at 2:12 PM, Chathura Dilan <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Is consumer/secret key unique to a user or is it unique to the app?
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 17, 2014 at 12:20 PM, Chan <[email protected]> wrote:
>>>>>>
>>>>>>> +1 to the idea since basic auth will be first used to obtain the
>>>>>>> consumer secret. But we might have to change the flow from how it 
>>>>>>> usually
>>>>>>> work.
>>>>>>>
>>>>>>> Cheers~
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 17, 2014 at 12:17 PM, Kasun Dananjaya Delgolla <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> We're going to protect all the API calls from EMM client side using
>>>>>>>> OAuth.
>>>>>>>>
>>>>>>>> I have a concern whether to store the consumer key/secret inside
>>>>>>>> the EMM Agent Application or making it dynamic. We can actually send 
>>>>>>>> those
>>>>>>>> 2 when the user authenticates from the mobile client (As the 
>>>>>>>> response), and
>>>>>>>> then we can store it inside a private preference (Which is application
>>>>>>>> private).
>>>>>>>>
>>>>>>>> I see this as the safest way because keeping it hardcoded in the
>>>>>>>> source or a file might be extremely easy to hack. So WDYT?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> --
>>>>>>>> Kasun Dananjaya Delgolla
>>>>>>>>
>>>>>>>> Software Engineer
>>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>>> lean.enterprise.middleware
>>>>>>>> Tel:  +94 11 214 5345
>>>>>>>> Fax: +94 11 2145300
>>>>>>>> Mob: + 94 777 997 850
>>>>>>>> Blog: http://kddcodingparadise.blogspot.com
>>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya
>>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Kasun Dananjaya Delgolla
>>>>>>>>
>>>>>>>> Software Engineer
>>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>>> lean.enterprise.middleware
>>>>>>>> Tel:  +94 11 214 5345
>>>>>>>> Fax: +94 11 2145300
>>>>>>>> Mob: + 94 777 997 850
>>>>>>>> Blog: http://kddcodingparadise.blogspot.com
>>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya
>>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>*
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Chan (Dulitha Wijewantha)
>>>>>>> Software Engineer - Mobile Development
>>>>>>> WSO2Mobile
>>>>>>> Lean.Enterprise.Mobileware
>>>>>>>  * ~Email       [email protected] <[email protected]>*
>>>>>>> *  ~Mobile     +94712112165 <%2B94712112165>*
>>>>>>> *  ~Website   dulitha.me <http://dulitha.me>*
>>>>>>> *  ~Twitter     @dulitharw <https://twitter.com/dulitharw>*
>>>>>>>   *~Github     @dulichan <https://github.com/dulichan>*
>>>>>>>   *~SO     @chan <http://stackoverflow.com/users/813471/chan>*
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>>
>>>>>> Chatura Dilan Perera
>>>>>> *(Senior Software Engineer - WSO2 Inc.)*
>>>>>> www.dilan.me
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>>
>>>>> Chatura Dilan Perera
>>>>> *(Senior Software Engineer - WSO2 Inc.)*
>>>>> www.dilan.me
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> [email protected]
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Suresh Attanayake
>>> Senior Software Engineer; WSO2 Inc. http://wso2.com/
>>> Blog : http://sureshatt.blogspot.com/
>>> Web : http://www.ssoarcade.com/
>>> Facebook : https://www.facebook.com/IdentityWorld
>>> Twitter : https://twitter.com/sureshatt
>>> LinkedIn : http://lk.linkedin.com/in/sureshatt
>>> Mobile : +94755012060
>>> Mobile : +016166171172
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> [email protected]
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: [email protected]
>> Mobile: +94 (71) 8020933
>> Blog: http://gayanj2ee.blogspot.com/
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Kasun Dananjaya Delgolla
>
> Software Engineer
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> Tel:  +94 11 214 5345
> Fax: +94 11 2145300
> Mob: + 94 777 997 850
> Blog: http://kddcodingparadise.blogspot.com
> Linkedin: *http://lk.linkedin.com/in/kasundananjaya
> <http://lk.linkedin.com/in/kasundananjaya>*
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Chan (Dulitha Wijewantha)
Software Engineer - Mobile Development
WSO2 Inc
Lean.Enterprise.Mobileware
 * ~Email       [email protected] <[email protected]>*
*  ~Mobile     +94712112165*
*  ~Website   dulitha.me <http://dulitha.me>*
*  ~Twitter     @dulitharw <https://twitter.com/dulitharw>*
  *~Github     @dulichan <https://github.com/dulichan>*
  *~SO     @chan <http://stackoverflow.com/users/813471/chan>*
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to