Monis, I agree it's harder to steal secret from binary but it's not much harder. You can simply setup a breakpoint and read out the secret from debugger for most apps. You can throw a few more hurdles by using an obfuscator. That will stop me but that's no match to hackers either.
OAuth's security is based on the secrecy of the consumer secret. Once the secret is compromised, you have to force all users to upgrade to use a new key. For most apps, that's not a viable choice. But I agree secure is a relative term. This risk might be acceptable to your app. It's definitely better than doing nothing. Zhihong On Jul 24, 10:42 am, Monis <[email protected]> wrote: > @Zhihong consumer secret should be a SECRET. > Yes if you are talking about a client like javascript then it's > insecure but > languages like Objective-C which deploy binaries should be secure. > > I would say it's perfectly OK for iPhone/Objective-C authorization > needs. > > Thanks, > Monis > > On Jul 24, 7:24 pm, Zhihong <[email protected]> wrote: > > > > > Mike, > > > OAuth is different things for different people. OAuth proper (the 3- > > legged flow) is not suitable for JAX-RS. However, we use OAuth signing > > to secure all our API calls and HTTP redirects. Someone asked me about > > using Jersey to make the OAuth-signed calls so we played around with > > Jersey. It's pretty easy to plug OAuth in. On server side, you can get > > all the parameters and headers, so you should be able to use Java > > library to verify the signature. On client side, the Jersey Client > > Library can be extended to support the signing. This would be an > > interesting extension to add to the Java library. > > > In my opinion, you don't add much security by using OAuth on client > > because there is no way to keep the secret. However, many people still > > do it. It may raise the hurdle for hacking a little, but not much. > > > To answer all your questions, > > > 1. No, unless you know how to keep the secret or you don't care about > > security :( There is an Object-C library you can use. > > 2. No for the same reason. Anyone can get your secret and make calls > > just like your app. > > 3. No but OAuth doesn't provide encyrption. If you need > > confidentiality, you can use OAuth over SSL. > > 3a. See #2. It can be used to validate user if you can get around the > > security issue on iPhone. > > 4. I have no idea. > > 5. See #3 > > 6. Function-wise, they have a tiny bit overlap (both handles > > authorization) but the implementations are very different. REST > > Identity Services is not restful at all. Most Liberty/OASIS protocols > > use SOAP as the communication stack. REST Identity Services simply > > removes SOAP but it still relies on heavy duty protocols like SAML, > > XACML etc.You use REST for simplicity but this is not really simple. > > So I would rather use the full Identity Services if I go that route. > > > Zhihong --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
