Service Providers that allow the "anonymous" consumer key don't really have a way to identify the application to the user, other than the domain of the callback url. Unfortunately, due to open redirectors and other web vulnerabilities, a malious website could hide their true identity behind a redirector. (for instance, anyone can use a bit.ly url)
It might make sense for your clients to specify an optional client name, similar to a web browser's User Agent string. As with the browser user agent, the value of this string is completely untrusted, however it might be useful to use when identifying the client to the user. Allen On 2/22/10 3:27 AM, "zemi" <[email protected]> wrote: > > But at the same time I need to 'auto' register the consumers the way > they are unique (URL?) so I can identify them on provider side - that > an user can revoke access token later if needed. > Do I actually need to create consumer key/secret for each request or > the token only? > What do you think? > > Regards, > Matus > > On Feb 22, 2:50 am, Allen Tom <[email protected]> wrote: >> Perhaps a Googler can jump in on this Google allows Oauth apps to use >> ³anonymous² as their consumer key, with ³anonymous² as their consumer >> secret. These apps do not need to pre-register for a consumer key. >> >> See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous² >> consumer >> key:http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth >> >> This also means that the oauth_callback URL is not bound to any particular >> domain and can be anything. >> >> I personally think that this is a great way to lower the barrier for >> developers to start using Oauth protected APIs. However, Yahoo and many >> other Service Provders are not able to allow for the anonymous consumer key >> due to legal requirements (we require our developers to agree to a legal >> terms of use), as well as business requirements (we want contact info for >> our developers). >> >> As far as the original poster¹s question asking how Service Providers can >> implement this I think the anonymous consumer key implementation is pretty >> straightforward. I suppose the UI for the approval screen as well as the >> token management/revocation screens could be strange (what does the SP call >> the app on these screens?). It could also be tricky to implement a kill >> switch if the SP wants to pull the plug on a rogue app using the anonymous >> consumer key. >> >> Allen >> >> On 2/20/10 11:33 PM, "Vinod facebook" <[email protected]> wrote: >> >> >> >>> Hi zemi, >> >>> This can be done using asymmetric key cryptography. For example if >>> abc.com <http://abc.com> is a service provider and if they wanna add a >>> gadget >>> to google.com <http://google.com> (consumer) to offer their services to >>> their >>> clients using google.com <http://google.com> . Google signs all requests to >>> service provider using a private key and the service provider uses a public >>> certificate provided by google to verify all the requests originating from >>> google to be authentic and legitimate. This signing and validation of >>> request >>> messages happens at both the ends(consumer and service provider). With this, >>> a >>> prior registration is not required on the service provider side. >> >>> A list of open social public certificates are provided in the following >>> link: >> >>> https://opensocialresources.appspot.com/certificates >> >>> The following link provides you an insight into implementing signed fetch >>> using asymmetric key cryptography. The same can be used with 3-legged oauth. >> >>> http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests >> >>> Note: There is no such 'anonymous consumer key' as per my understanding. If >>> you view the list of public certificates, along with the public certificate >>> a >>> corresponding oauth_consumer_key is provided and is a fixed value. >> >>> With Regards, >>> R.Vinod Kumar >> >>> On Fri, Feb 19, 2010 at 5:49 AM, zemi <[email protected]> wrote: >>>> Hi everybody, >>>> I need a consumer to request (3-legged) 'request' tokens without >>>> previous registration on provider side. >>>> I've noticed Google and Plaxo support this with 'anonymous' consumer >>>> key? How exactly is this then handled on provider side? Do they create >>>> token only or consumer key also? >>>> Thanks for help folks! >> >>>> Regards, >>>> zemi >> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "OAuth" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected] >>>> <mailto:oauth%[email protected]> . >>>> For more options, visit this group at >>>> http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
