Steve, > I'm evaluating whether OAuth 2 draft 13 w/ MAC authentication will be > suitable for my situation. > ... > I want to ensure that a user cannot use their own valid access token to make > API calls from non-approved clients. > ... > I'm aware that determined users could extract the client ID and client secret > from mobile app binaries, but this should stop casual users.
An app should be able to protect a MAC token secret almost as well as a client secret (perhaps even better as it isn't in the static code) -- as long as you are using HTTPS to issue it. A MAC token secret is not exposed to a casual user. Even a bearer token is not exposed to a casual user as long as you use HTTPS everywhere. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
