It seems like the best way to move forward would be to have my widget contact my server and check for a change in consumer key/secret. Of course, it'd be easy for anyone to visit that address for the latest details, but it'd mean less hassle for the end-user.
On Mar 23, 1:42 am, Allen Tom <[email protected]> wrote: > So how does this 3rd party server authenticate your widget? What's to > stop someone from reverse engineering the protocol and requesting your > CK/Secret? > > We believe that it is impossible to safeguard any secrets embedded in > downloadable client applications. Someone with a debugger and some > patience will be able to extract the secrets very quickly. Likewise, any > secret protocol between a downloadable client and a server can also be > easily reverse engineered. Therefore, it's impossible to securely > identify a client application, and a downloadable client application's > consumer key (even when signed with its consumer secret) is about as > meaningful as your browser's HTTP User-Agent string. > > Unlike downloadable client applications, server based apps are able to > safeguard their consumer secret, so it is possible to authenticate > server based applications. > > Allen > > > > Nial wrote: > > This opens the question of whether or not to store my consumer key/ > > secret within the widgets JS files or request them from a third-party > > server as and when the widget is initialized. If I were to do the > > former (as I am currently), I'd have to put out a new version of my > > widget if my old consumer key/secret were compromised. Which I suppose > > begs the question: how often do such things occur? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
