Hi all, I'm evaluating whether OAuth 2 draft 13 w/ MAC authentication will be suitable for my situation.
We have an API which will be consumed by approved native apps on mobile devices. For business reasons I want to ensure that a user cannot use their own valid access token to make API calls from non-approved clients. Perhaps this is not what OAuth is designed to protect against, but I'd like to use a standardized authentication method if at all possible. I understand the process of granting an access token to clients validated by client_id and client_secret, but I want to do the same for all authenticated requests. As far as I can tell, an an authenticated request is signed by an access token and token secret, but not client id and client secret. I'm aware that determined users could extract the client ID and client secret from mobile app binaries, but this should stop casual users. I've found a couple of discussions related to this problem, but I'm not sure if they're what I'm after - [1] http://www.ietf.org/mail-archive/web/oauth/current/msg03836.html [2] http://www.ietf.org/mail-archive/web/oauth/current/msg04872.html It might be possible to include the client ID and client secret as query parameters in the message to sign (but exclude the client secret in the actual request URL of course), or put the client ID in the Authorization header. If anyone has a better way to do this, especially in a way that would still make it a valid OAuth 2 request, I'm all ears. Regards Steve _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
