Rekindling an old thread. Are we going to support this in next IS release? On Thu, Apr 17, 2014 at 8:26 PM, Kasun Dananjaya Delgolla <[email protected]> wrote:
> +1. I think this is the ideal way of doing that. > > > On Thu, Apr 17, 2014 at 5:57 PM, Gayan Gunawardana <[email protected]> wrote: > >> Hi, >> >> +1 for dynamic client generation. >> >> This is what we have discussed in several meetings. >> >> If time permit I can have a look at the spec and do the implementation. >> This will be an ideal solution for most of security holes. >> >> >> >> On Thu, Apr 17, 2014 at 5:41 PM, Suresh Attanayaka <[email protected]> >> wrote: >> >>> Hi, >>> >>> We can use Dynamic Client Registration[1] to get a ClientKey and a >>> ClientSecrete. The advantage here is that different instances of the same >>> application will have different ClientKey and ClientSecrete. With this we >>> can identify each installation. >>> >>> Dynamic Client Registration has a registration endpoint which requires >>> an initial token. The initial token can be obtained using basic >>> authentication, then the client can use that initial token to register >>> itself at the EMM and get the ClientKey + ClientSecrete. >>> >>> Once the client has received the ClientKey and ClientSecrete, it should >>> store it securely. >>> >>> [1]- http://openid.net/specs/openid-connect-registration-1_0.html >>> >>> >>> >>> >>> On Thu, Apr 17, 2014 at 2:52 PM, Harshan Liyanage <[email protected]> >>> wrote: >>> >>>> I think we could use a technique like "*Image Steganography[[1]*" to >>>> store consumer key/secret inside the application so it would be difficult >>>> to hack. For the image we can use something like application logo so it >>>> won't get much attention. On the otherhand we could modify the >>>> steganography algorithm and make it much more secure. >>>> >>>> [1]. http://en.wikipedia.org/wiki/Steganography >>>> >>>> Best Regards, >>>> >>>> Lakshitha Harshan >>>> Software Engineer >>>> Mobile: *+94724423048* >>>> Email: [email protected] >>>> Blog : http://harshanliyanage.blogspot.com/ >>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>> lean.enterprise.middleware. >>>> >>>> >>>> On Thu, Apr 17, 2014 at 2:21 PM, Chathura Dilan <[email protected]> >>>> wrote: >>>> >>>>> if it is unique to the app, there could be another security issue. >>>>> Someone can get our source and authenticate himself with his app, and they >>>>> are able to download the key from the server. >>>>> >>>>> >>>>> On Thu, Apr 17, 2014 at 2:12 PM, Chathura Dilan <[email protected]> >>>>> wrote: >>>>> >>>>>> Is consumer/secret key unique to a user or is it unique to the app? >>>>>> >>>>>> >>>>>> On Thu, Apr 17, 2014 at 12:20 PM, Chan <[email protected]> wrote: >>>>>> >>>>>>> +1 to the idea since basic auth will be first used to obtain the >>>>>>> consumer secret. But we might have to change the flow from how it >>>>>>> usually >>>>>>> work. >>>>>>> >>>>>>> Cheers~ >>>>>>> >>>>>>> >>>>>>> On Thu, Apr 17, 2014 at 12:17 PM, Kasun Dananjaya Delgolla < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> We're going to protect all the API calls from EMM client side using >>>>>>>> OAuth. >>>>>>>> >>>>>>>> I have a concern whether to store the consumer key/secret inside >>>>>>>> the EMM Agent Application or making it dynamic. We can actually send >>>>>>>> those >>>>>>>> 2 when the user authenticates from the mobile client (As the >>>>>>>> response), and >>>>>>>> then we can store it inside a private preference (Which is application >>>>>>>> private). >>>>>>>> >>>>>>>> I see this as the safest way because keeping it hardcoded in the >>>>>>>> source or a file might be extremely easy to hack. So WDYT? >>>>>>>> >>>>>>>> Regards, >>>>>>>> -- >>>>>>>> Kasun Dananjaya Delgolla >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> Tel: +94 11 214 5345 >>>>>>>> Fax: +94 11 2145300 >>>>>>>> Mob: + 94 777 997 850 >>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Kasun Dananjaya Delgolla >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> Tel: +94 11 214 5345 >>>>>>>> Fax: +94 11 2145300 >>>>>>>> Mob: + 94 777 997 850 >>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chan (Dulitha Wijewantha) >>>>>>> Software Engineer - Mobile Development >>>>>>> WSO2Mobile >>>>>>> Lean.Enterprise.Mobileware >>>>>>> * ~Email [email protected] <[email protected]>* >>>>>>> * ~Mobile +94712112165 <%2B94712112165>* >>>>>>> * ~Website dulitha.me <http://dulitha.me>* >>>>>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>>>>> *~Github @dulichan <https://github.com/dulichan>* >>>>>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> >>>>>> Chatura Dilan Perera >>>>>> *(Senior Software Engineer - WSO2 Inc.)* >>>>>> www.dilan.me >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> >>>>> Chatura Dilan Perera >>>>> *(Senior Software Engineer - WSO2 Inc.)* >>>>> www.dilan.me >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Suresh Attanayake >>> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >>> Blog : http://sureshatt.blogspot.com/ >>> Web : http://www.ssoarcade.com/ >>> Facebook : https://www.facebook.com/IdentityWorld >>> Twitter : https://twitter.com/sureshatt >>> LinkedIn : http://lk.linkedin.com/in/sureshatt >>> Mobile : +94755012060 >>> Mobile : +016166171172 >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> Blog: http://gayanj2ee.blogspot.com/ >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Kasun Dananjaya Delgolla > > Software Engineer > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > Tel: +94 11 214 5345 > Fax: +94 11 2145300 > Mob: + 94 777 997 850 > Blog: http://kddcodingparadise.blogspot.com > Linkedin: *http://lk.linkedin.com/in/kasundananjaya > <http://lk.linkedin.com/in/kasundananjaya>* > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Chan (Dulitha Wijewantha) Software Engineer - Mobile Development WSO2 Inc Lean.Enterprise.Mobileware * ~Email [email protected] <[email protected]>* * ~Mobile +94712112165* * ~Website dulitha.me <http://dulitha.me>* * ~Twitter @dulitharw <https://twitter.com/dulitharw>* *~Github @dulichan <https://github.com/dulichan>* *~SO @chan <http://stackoverflow.com/users/813471/chan>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
