The link to Google's guide for installed applications is here: http://code.google.com/apis/accounts/docs/OAuthForInstalledApps.html
It is pure OAuth but with a fixed consumer key and secret. Yahoo! uses the OAuth Session extension, which I don't completely understand, but one aspect of it is to force the token_secret to serve as a temporary secret. I don't have a link to Yahoo!'s handling of this beyond http://developer.yahoo.com/oauth/ Ethan On Fri, Oct 30, 2009 at 12:31 PM, jrojas78 <[email protected]> wrote: > > Ethan, > > do you know links to these guidelines? In particular extra measures > to deal with the consumer secret vulnerability? > Do I just encrypt the consumer secret on the client side as an extra > means against casual decompilation? > > As a side note, Facebook doesn't use OAuth (but it is similar). They > have a means to handle this in their protocol using a temporary secret > provided by their servers. > I don't know how secure this would be, but they seem to have > acknowledged the issue and have a dual system that provides normal > consumer secrets and temporary ones. > On Oct 30, 8:09 am, Ethan Jewett <[email protected]> wrote: >> Hi, >> >> In an installed client app it is just not a good idea to assume that >> the consumer secret is actually secret or to rely on this in the way >> you build your server. There is no way to ensure this secrecy and it >> is not an issue specific to OAuth. The token secret is a bit of a >> better bet since it is unique per client. >> >> I believe both Google and Yahoo have guidelines for people building >> installed clients using OAuth, so recommend you take a look at those >> guidelines when considering how to do your own implementation. >> >> Ethan >> >> On Thu, Oct 29, 2009 at 6:06 PM, jrojas78 <[email protected]> wrote: >> >> > Hello, >> >> > How does OAuth deal with client apps that can be "decompiled"? If I >> > want to build a client app that uses an OAuth service like Twitter how >> > do I protect my secret key? All it takes one person to hack the >> > client and share the secret key and then my app would be vulnerable to >> > spoofing. The best approach would be to never share the secret key on >> > the client. >> >> > How can OAuth deal with this? >> >> > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
