I'd like to run something past everyone to make sure I'm not missing
something obvious that would make what I'm thinking of doing insecure.

I'm working on a web application with an iPhone app that goes along
with it (we haven't launched yet). Our web application provides an API
that the iPhone application uses.

Our iPhone application is approved for and successfully using xAuth
for signing users in. Once xAuth comes back, the iPhone application
only stores the OAuth key/secret pair for the user. Our web
application is only using standard OAuth for signing in - it doesn't
accept usernames and passwords directly from users.

I'd like to offer a simple and secure way for the iPhone application
to not only authorize itself with our API, but identify the user
making the request.

Would it be wrong or insecure for the iPhone application to pass along
the access key and access secret for the user on each API call to our
web application? This would sufficiently identify the user and, if I'm
understanding correctly, wouldn't be able to be used by anyone if
intercepted because they wouldn't have our application's consumer key/

Again, I could very well be missing something here in terms of how
secure this approach would be, that's why I'm asking first. I
appreciate any feedback on this plan. Thank you, in advance.

Thomas Mango

Reply via email to