I've been working on some JS that works as an OS X dashboard widget. The widget connects to a third-party service which requires OAuth authorization.
In regards to the Consumer Key/Secret, as far as I understand it, these two pieces of information (particularly the Secret) are sensitive and thus should not be shared with anyone. Obviously, the problem here is that both variables are easily accessible if the user is to snoop around in the widget's JS files. I'm aware that this is regularly discussed amongst the OAuth community (and have done some searches) but wanted to get your opinions. On the one hand, it's still more secure than Basic HTTP authentication, whereby the users credentials are sent, unencoded, with each and every server request. Similarly, I appreciate that the Secret key could also be found amongst desktop apps with a bit more poking and prodding. But on the other, it opens my application to the possibility of spoofing, whereby a malicious user could use my details to send nasty requests to the third-party service. This opens the question of whether or not to store my consumer key/ secret within the widgets JS files or request them from a third-party server as and when the widget is initialized. If I were to do the former (as I am currently), I'd have to put out a new version of my widget if my old consumer key/secret were compromised. Which I suppose begs the question: how often do such things occur? Any suggestions? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
