Most probably this is not going to support in next IS release. On Thu, Nov 6, 2014 at 12:07 PM, Chan <[email protected]> wrote:
> Rekindling an old thread. Are we going to support this in next IS release? > > On Thu, Apr 17, 2014 at 8:26 PM, Kasun Dananjaya Delgolla <[email protected] > > wrote: > >> +1. I think this is the ideal way of doing that. >> >> >> On Thu, Apr 17, 2014 at 5:57 PM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> Hi, >>> >>> +1 for dynamic client generation. >>> >>> This is what we have discussed in several meetings. >>> >>> If time permit I can have a look at the spec and do the implementation. >>> This will be an ideal solution for most of security holes. >>> >>> >>> >>> On Thu, Apr 17, 2014 at 5:41 PM, Suresh Attanayaka <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> We can use Dynamic Client Registration[1] to get a ClientKey and a >>>> ClientSecrete. The advantage here is that different instances of the same >>>> application will have different ClientKey and ClientSecrete. With this we >>>> can identify each installation. >>>> >>>> Dynamic Client Registration has a registration endpoint which requires >>>> an initial token. The initial token can be obtained using basic >>>> authentication, then the client can use that initial token to register >>>> itself at the EMM and get the ClientKey + ClientSecrete. >>>> >>>> Once the client has received the ClientKey and ClientSecrete, it should >>>> store it securely. >>>> >>>> [1]- http://openid.net/specs/openid-connect-registration-1_0.html >>>> >>>> >>>> >>>> >>>> On Thu, Apr 17, 2014 at 2:52 PM, Harshan Liyanage <[email protected]> >>>> wrote: >>>> >>>>> I think we could use a technique like "*Image Steganography[[1]*" to >>>>> store consumer key/secret inside the application so it would be difficult >>>>> to hack. For the image we can use something like application logo so it >>>>> won't get much attention. On the otherhand we could modify the >>>>> steganography algorithm and make it much more secure. >>>>> >>>>> [1]. http://en.wikipedia.org/wiki/Steganography >>>>> >>>>> Best Regards, >>>>> >>>>> Lakshitha Harshan >>>>> Software Engineer >>>>> Mobile: *+94724423048* >>>>> Email: [email protected] >>>>> Blog : http://harshanliyanage.blogspot.com/ >>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>> lean.enterprise.middleware. >>>>> >>>>> >>>>> On Thu, Apr 17, 2014 at 2:21 PM, Chathura Dilan <[email protected]> >>>>> wrote: >>>>> >>>>>> if it is unique to the app, there could be another security issue. >>>>>> Someone can get our source and authenticate himself with his app, and >>>>>> they >>>>>> are able to download the key from the server. >>>>>> >>>>>> >>>>>> On Thu, Apr 17, 2014 at 2:12 PM, Chathura Dilan <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Is consumer/secret key unique to a user or is it unique to the app? >>>>>>> >>>>>>> >>>>>>> On Thu, Apr 17, 2014 at 12:20 PM, Chan <[email protected]> wrote: >>>>>>> >>>>>>>> +1 to the idea since basic auth will be first used to obtain the >>>>>>>> consumer secret. But we might have to change the flow from how it >>>>>>>> usually >>>>>>>> work. >>>>>>>> >>>>>>>> Cheers~ >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Apr 17, 2014 at 12:17 PM, Kasun Dananjaya Delgolla < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> We're going to protect all the API calls from EMM client side >>>>>>>>> using OAuth. >>>>>>>>> >>>>>>>>> I have a concern whether to store the consumer key/secret inside >>>>>>>>> the EMM Agent Application or making it dynamic. We can actually send >>>>>>>>> those >>>>>>>>> 2 when the user authenticates from the mobile client (As the >>>>>>>>> response), and >>>>>>>>> then we can store it inside a private preference (Which is application >>>>>>>>> private). >>>>>>>>> >>>>>>>>> I see this as the safest way because keeping it hardcoded in the >>>>>>>>> source or a file might be extremely easy to hack. So WDYT? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> -- >>>>>>>>> Kasun Dananjaya Delgolla >>>>>>>>> >>>>>>>>> Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> Tel: +94 11 214 5345 >>>>>>>>> Fax: +94 11 2145300 >>>>>>>>> Mob: + 94 777 997 850 >>>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Kasun Dananjaya Delgolla >>>>>>>>> >>>>>>>>> Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> Tel: +94 11 214 5345 >>>>>>>>> Fax: +94 11 2145300 >>>>>>>>> Mob: + 94 777 997 850 >>>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Chan (Dulitha Wijewantha) >>>>>>>> Software Engineer - Mobile Development >>>>>>>> WSO2Mobile >>>>>>>> Lean.Enterprise.Mobileware >>>>>>>> * ~Email [email protected] <[email protected]>* >>>>>>>> * ~Mobile +94712112165 <%2B94712112165>* >>>>>>>> * ~Website dulitha.me <http://dulitha.me>* >>>>>>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>>>>>> *~Github @dulichan <https://github.com/dulichan>* >>>>>>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> >>>>>>> Chatura Dilan Perera >>>>>>> *(Senior Software Engineer - WSO2 Inc.)* >>>>>>> www.dilan.me >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> >>>>>> Chatura Dilan Perera >>>>>> *(Senior Software Engineer - WSO2 Inc.)* >>>>>> www.dilan.me >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Suresh Attanayake >>>> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >>>> Blog : http://sureshatt.blogspot.com/ >>>> Web : http://www.ssoarcade.com/ >>>> Facebook : https://www.facebook.com/IdentityWorld >>>> Twitter : https://twitter.com/sureshatt >>>> LinkedIn : http://lk.linkedin.com/in/sureshatt >>>> Mobile : +94755012060 >>>> Mobile : +016166171172 >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> Blog: http://gayanj2ee.blogspot.com/ >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Kasun Dananjaya Delgolla >> >> Software Engineer >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> Tel: +94 11 214 5345 >> Fax: +94 11 2145300 >> Mob: + 94 777 997 850 >> Blog: http://kddcodingparadise.blogspot.com >> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >> <http://lk.linkedin.com/in/kasundananjaya>* >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Chan (Dulitha Wijewantha) > Software Engineer - Mobile Development > WSO2 Inc > Lean.Enterprise.Mobileware > * ~Email [email protected] <[email protected]>* > * ~Mobile +94712112165 <%2B94712112165>* > * ~Website dulitha.me <http://dulitha.me>* > * ~Twitter @dulitharw <https://twitter.com/dulitharw>* > *~Github @dulichan <https://github.com/dulichan>* > *~SO @chan <http://stackoverflow.com/users/813471/chan>* > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
