Hi- Forgive me if this has been answered before, I've searched the group and website but can't find it.
Anyway, my question involves a desktop app and consumer and token secrets. The desktop app talks to an associated web app, and the user is authenticated to the web app (using a password). The web app has the consumer secret for the app, and it also stores the token secret for each user (the user has to go through a separate, 'standard' OAuth process to get the token secret into the web app). When the desktop app wants to access a protected resource in the Service Provider on behalf of the user, it asks its associated web app to generate and sign the request. The web app returns the signed request to the desktop app which then sends it to the Service Provider. (It's done like this because the responses from the Service Provider can be large so as much load should be taken off the web app as possible). Of course, the consumer key ends up given to the desktop app so is vulnerable. But the consumer secret never leaves the web app, which is a better place to keep it. My question is whether the consumer key is any use without the consumer secret? Is the scenario I described above any less secure than having both the consumer key and secret held in the web app (and the web app making all the requests to the Service Provider)? Am I missing something? Many thanks for reading this and again apologies if I missed the answer somewhere. David --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
