So how does this 3rd party server authenticate your widget? What's to stop someone from reverse engineering the protocol and requesting your CK/Secret?
We believe that it is impossible to safeguard any secrets embedded in downloadable client applications. Someone with a debugger and some patience will be able to extract the secrets very quickly. Likewise, any secret protocol between a downloadable client and a server can also be easily reverse engineered. Therefore, it's impossible to securely identify a client application, and a downloadable client application's consumer key (even when signed with its consumer secret) is about as meaningful as your browser's HTTP User-Agent string. Unlike downloadable client applications, server based apps are able to safeguard their consumer secret, so it is possible to authenticate server based applications. Allen Nial wrote: > This opens the question of whether or not to store my consumer key/ > secret within the widgets JS files or request them from a third-party > server as and when the widget is initialized. If I were to do the > former (as I am currently), I'd have to put out a new version of my > widget if my old consumer key/secret were compromised. Which I suppose > begs the question: how often do such things occur? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
