+1. I think this is the ideal way of doing that.
On Thu, Apr 17, 2014 at 5:57 PM, Gayan Gunawardana <[email protected]> wrote: > Hi, > > +1 for dynamic client generation. > > This is what we have discussed in several meetings. > > If time permit I can have a look at the spec and do the implementation. > This will be an ideal solution for most of security holes. > > > > On Thu, Apr 17, 2014 at 5:41 PM, Suresh Attanayaka <[email protected]>wrote: > >> Hi, >> >> We can use Dynamic Client Registration[1] to get a ClientKey and a >> ClientSecrete. The advantage here is that different instances of the same >> application will have different ClientKey and ClientSecrete. With this we >> can identify each installation. >> >> Dynamic Client Registration has a registration endpoint which requires an >> initial token. The initial token can be obtained using basic >> authentication, then the client can use that initial token to register >> itself at the EMM and get the ClientKey + ClientSecrete. >> >> Once the client has received the ClientKey and ClientSecrete, it should >> store it securely. >> >> [1]- http://openid.net/specs/openid-connect-registration-1_0.html >> >> >> >> >> On Thu, Apr 17, 2014 at 2:52 PM, Harshan Liyanage <[email protected]>wrote: >> >>> I think we could use a technique like "*Image Steganography[[1]*" to >>> store consumer key/secret inside the application so it would be difficult >>> to hack. For the image we can use something like application logo so it >>> won't get much attention. On the otherhand we could modify the >>> steganography algorithm and make it much more secure. >>> >>> [1]. http://en.wikipedia.org/wiki/Steganography >>> >>> Best Regards, >>> >>> Lakshitha Harshan >>> Software Engineer >>> Mobile: *+94724423048* >>> Email: [email protected] >>> Blog : http://harshanliyanage.blogspot.com/ >>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>> lean.enterprise.middleware. >>> >>> >>> On Thu, Apr 17, 2014 at 2:21 PM, Chathura Dilan <[email protected]>wrote: >>> >>>> if it is unique to the app, there could be another security issue. >>>> Someone can get our source and authenticate himself with his app, and they >>>> are able to download the key from the server. >>>> >>>> >>>> On Thu, Apr 17, 2014 at 2:12 PM, Chathura Dilan <[email protected]>wrote: >>>> >>>>> Is consumer/secret key unique to a user or is it unique to the app? >>>>> >>>>> >>>>> On Thu, Apr 17, 2014 at 12:20 PM, Chan <[email protected]> wrote: >>>>> >>>>>> +1 to the idea since basic auth will be first used to obtain the >>>>>> consumer secret. But we might have to change the flow from how it usually >>>>>> work. >>>>>> >>>>>> Cheers~ >>>>>> >>>>>> >>>>>> On Thu, Apr 17, 2014 at 12:17 PM, Kasun Dananjaya Delgolla < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We're going to protect all the API calls from EMM client side using >>>>>>> OAuth. >>>>>>> >>>>>>> I have a concern whether to store the consumer key/secret inside the >>>>>>> EMM Agent Application or making it dynamic. We can actually send those 2 >>>>>>> when the user authenticates from the mobile client (As the response), >>>>>>> and >>>>>>> then we can store it inside a private preference (Which is application >>>>>>> private). >>>>>>> >>>>>>> I see this as the safest way because keeping it hardcoded in the >>>>>>> source or a file might be extremely easy to hack. So WDYT? >>>>>>> >>>>>>> Regards, >>>>>>> -- >>>>>>> Kasun Dananjaya Delgolla >>>>>>> >>>>>>> Software Engineer >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> Tel: +94 11 214 5345 >>>>>>> Fax: +94 11 2145300 >>>>>>> Mob: + 94 777 997 850 >>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Kasun Dananjaya Delgolla >>>>>>> >>>>>>> Software Engineer >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> Tel: +94 11 214 5345 >>>>>>> Fax: +94 11 2145300 >>>>>>> Mob: + 94 777 997 850 >>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Chan (Dulitha Wijewantha) >>>>>> Software Engineer - Mobile Development >>>>>> WSO2Mobile >>>>>> Lean.Enterprise.Mobileware >>>>>> * ~Email [email protected] <[email protected]>* >>>>>> * ~Mobile +94712112165 <%2B94712112165>* >>>>>> * ~Website dulitha.me <http://dulitha.me>* >>>>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>>>> *~Github @dulichan <https://github.com/dulichan>* >>>>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> >>>>> Chatura Dilan Perera >>>>> *(Senior Software Engineer - WSO2 Inc.)* >>>>> www.dilan.me >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Chatura Dilan Perera >>>> *(Senior Software Engineer - WSO2 Inc.)* >>>> www.dilan.me >>>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Suresh Attanayake >> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >> Blog : http://sureshatt.blogspot.com/ >> Web : http://www.ssoarcade.com/ >> Facebook : https://www.facebook.com/IdentityWorld >> Twitter : https://twitter.com/sureshatt >> LinkedIn : http://lk.linkedin.com/in/sureshatt >> Mobile : +94755012060 >> Mobile : +016166171172 >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > Blog: http://gayanj2ee.blogspot.com/ > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Kasun Dananjaya Delgolla Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware Tel: +94 11 214 5345 Fax: +94 11 2145300 Mob: + 94 777 997 850 Blog: http://kddcodingparadise.blogspot.com Linkedin: *http://lk.linkedin.com/in/kasundananjaya <http://lk.linkedin.com/in/kasundananjaya>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
