On Mon, Jan 26, 2009 at 9:20 PM, hallsy <[email protected]> wrote: > > ... > > Of course, the consumer key ends up given to the desktop app so is > vulnerable. But the consumer secret never leaves the web app, which is > a better place to keep it. > > My question is whether the consumer key is any use without the > consumer secret? > > Is the scenario I described above any less secure than having both the > consumer key and secret held in the web app (and the web app making > all the requests to the Service Provider)?
No - the consumer key is transmitted in clear text over the wire in all OAuth use cases that do not involve SSL. As such, it was designed to be "safe-to-leak". > Am I missing something? Nope! :-) Thanks for bringing it up. I think this is a very useful pattern, particularly for developers of desktop applications that are clients for a web service. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
