Right, and... On Sat, 12 Jun 2010 16:09:47 -0700 (PDT) Jef Poskanzer <jef.poskan...@gmail.com> wrote:
> You know, it's right there in the OAuth RFC. > > http://tools.ietf.org/html/rfc5849#section-4.6 > > 4.6. Secrecy of the Client Credentials > > In many cases, the client application will be under the control of > potentially untrusted parties. For example, if the client is a > desktop application with freely available source code or an > executable binary, an attacker may be able to download a copy for > analysis. In such cases, attackers will be able to recover the > client credentials. > > Accordingly, servers should not use the client credentials alone to > verify the identity of the client. But for a desktop/mobile standalone application, there is no single client entity. What is called the "consumer" is not an entity. It is a program running on a device, not a company. And to re-quote them: > For example, if the client is a > desktop application with freely available source code or an > executable binary, an attacker may be able to download a copy for > analysis. This borders on being silly - why bother with analysis, when the attacker can just run the program. The oauth system comes from client/server concepts and client/server thinking. In that scenario, the authentication is between one client and two servers. That is not the case with most desktop/mobile apps. -- Bernd Stramm <bernd.str...@gmail.com>