Hi, +1 for dynamic client generation.
This is what we have discussed in several meetings. If time permit I can have a look at the spec and do the implementation. This will be an ideal solution for most of security holes. On Thu, Apr 17, 2014 at 5:41 PM, Suresh Attanayaka <sur...@wso2.com> wrote: > Hi, > > We can use Dynamic Client Registration[1] to get a ClientKey and a > ClientSecrete. The advantage here is that different instances of the same > application will have different ClientKey and ClientSecrete. With this we > can identify each installation. > > Dynamic Client Registration has a registration endpoint which requires an > initial token. The initial token can be obtained using basic > authentication, then the client can use that initial token to register > itself at the EMM and get the ClientKey + ClientSecrete. > > Once the client has received the ClientKey and ClientSecrete, it should > store it securely. > > [1]- http://openid.net/specs/openid-connect-registration-1_0.html > > > > > On Thu, Apr 17, 2014 at 2:52 PM, Harshan Liyanage <hars...@wso2.com>wrote: > >> I think we could use a technique like "*Image Steganography[[1]*" to >> store consumer key/secret inside the application so it would be difficult >> to hack. For the image we can use something like application logo so it >> won't get much attention. On the otherhand we could modify the >> steganography algorithm and make it much more secure. >> >> [1]. http://en.wikipedia.org/wiki/Steganography >> >> Best Regards, >> >> Lakshitha Harshan >> Software Engineer >> Mobile: *+94724423048* >> Email: hars...@wso2.com >> Blog : http://harshanliyanage.blogspot.com/ >> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >> lean.enterprise.middleware. >> >> >> On Thu, Apr 17, 2014 at 2:21 PM, Chathura Dilan <chathu...@wso2.com>wrote: >> >>> if it is unique to the app, there could be another security issue. >>> Someone can get our source and authenticate himself with his app, and they >>> are able to download the key from the server. >>> >>> >>> On Thu, Apr 17, 2014 at 2:12 PM, Chathura Dilan <chathu...@wso2.com>wrote: >>> >>>> Is consumer/secret key unique to a user or is it unique to the app? >>>> >>>> >>>> On Thu, Apr 17, 2014 at 12:20 PM, Chan <duli...@wso2.com> wrote: >>>> >>>>> +1 to the idea since basic auth will be first used to obtain the >>>>> consumer secret. But we might have to change the flow from how it usually >>>>> work. >>>>> >>>>> Cheers~ >>>>> >>>>> >>>>> On Thu, Apr 17, 2014 at 12:17 PM, Kasun Dananjaya Delgolla < >>>>> kas...@wso2.com> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> We're going to protect all the API calls from EMM client side using >>>>>> OAuth. >>>>>> >>>>>> I have a concern whether to store the consumer key/secret inside the >>>>>> EMM Agent Application or making it dynamic. We can actually send those 2 >>>>>> when the user authenticates from the mobile client (As the response), and >>>>>> then we can store it inside a private preference (Which is application >>>>>> private). >>>>>> >>>>>> I see this as the safest way because keeping it hardcoded in the >>>>>> source or a file might be extremely easy to hack. So WDYT? >>>>>> >>>>>> Regards, >>>>>> -- >>>>>> Kasun Dananjaya Delgolla >>>>>> >>>>>> Software Engineer >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> Tel: +94 11 214 5345 >>>>>> Fax: +94 11 2145300 >>>>>> Mob: + 94 777 997 850 >>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Kasun Dananjaya Delgolla >>>>>> >>>>>> Software Engineer >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> Tel: +94 11 214 5345 >>>>>> Fax: +94 11 2145300 >>>>>> Mob: + 94 777 997 850 >>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Chan (Dulitha Wijewantha) >>>>> Software Engineer - Mobile Development >>>>> WSO2Mobile >>>>> Lean.Enterprise.Mobileware >>>>> * ~Email duli...@wso2.com <duli...@wso2mobile.com>* >>>>> * ~Mobile +94712112165 <%2B94712112165>* >>>>> * ~Website dulitha.me <http://dulitha.me>* >>>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>>> *~Github @dulichan <https://github.com/dulichan>* >>>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Chatura Dilan Perera >>>> *(Senior Software Engineer - WSO2 Inc.)* >>>> www.dilan.me >>>> >>> >>> >>> >>> -- >>> Regards, >>> >>> Chatura Dilan Perera >>> *(Senior Software Engineer - WSO2 Inc.)* >>> www.dilan.me >>> >> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Suresh Attanayake > Senior Software Engineer; WSO2 Inc. http://wso2.com/ > Blog : http://sureshatt.blogspot.com/ > Web : http://www.ssoarcade.com/ > Facebook : https://www.facebook.com/IdentityWorld > Twitter : https://twitter.com/sureshatt > LinkedIn : http://lk.linkedin.com/in/sureshatt > Mobile : +94755012060 > Mobile : +016166171172 > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 Blog: http://gayanj2ee.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev