Thanks for the tips, Andrew! Your suggestions to Apple on secret management seems like a great idea. We'll keep that on our radar.
Taylor On Fri, Jun 25, 2010 at 2:57 PM, Andrew W. Donoho <andrew.don...@gmail.com>wrote: > > On Jun 25, 2010, at 15:42 , Taylor Singletary wrote: > > > However, we'd love to collect together specific implementation stories of > developers who've successfully made the transition and highlight them here. > > > > > Taylor et. al., > > As someone with his own custom iPhone REST stack, I scaled the > OAuth/xAuth wall. In my view, everyone made this transition seem much > tougher than it really is. Here's my advice: > > 0) If you don't have a REST stack, git one! There are many out there. I > started with one. (Very little of it remains in my apps but that is another > matter. It got me started.) > > 1) Your http request tends to change in exactly one place -- setting your > authorization header. Don't freak out about changing your code base. I added > 3 methods to my stack: create a signature string, sign the signature string > and create the OAuth header. I changed one method to sort and URL encode my > parameters. In all, this is a pretty minimal change. I cribbed much of this > from other open source implementations. > > 1a) Calculating a signature string is not as daunting as it looks. Some > pseudo code would have helped. Twitter's recent documentation helped. > 1b) Calculating HMAC-SHA1 signature is simple too. If you use the common > crypto library (CDSA derived), it takes 6 lines. > 1c) What wasn't too clear was how the xAuth process interacted with your > tokens. (Yes, I knew they were missing. What wasn't apparent was that I had > to leave the conjoining '&' in the signature secret.) > > 2) The WWDC slides sum up most of the issues but leave out the supporting > nitty gritty code. > > Finally, we all know that xAuth has a huge security hole -- the > embedded consumer secret in the client app. I have a feature request into > Apple to allow the passing of encrypted secrets to native applications > through App Store binary code. I have also posted it to OpenRadar at this > link: <http://openradar.appspot.com/8109678>. If members of this community > agree that we need a solution to this problem, then please consider filing > enhancement requests with Apple via bugreporter and reference my request. > (If someone else has a similar request, I'll be happy to reference their > request in my communications with Apple.) > > Anon, > Andrew > ____________________________________ > Andrew W. Donoho > Donoho Design Group, L.L.C. > a...@ddg.com, +1 (512) 750-7596 > > "We did not come to fear the future. > We came here to shape it." > > -- President Barack Obama, Sept. 2009 > > > > > >