I think I'm missing something, but I'm certainly not an expert in this area. Where do native apps keep the "app-secret" if it isn't supposed to be in client-side code?
-Alex On 2/25/14 8:00 AM, "Tom Chiverton" <[email protected]> wrote: >I see, this is one of those cases where you can make a trade off isn't it >? > >You can do on-device no-server authentication direct to an API, but this >exposes the secrets to reverse engineering. >Or you can choose to mediate everything via your own server, which >mitigates that issue but drives up complexity and (ongoing) costs. > >In the specific case of FaceBook, this is the offline access scope - you >grab the token once and then store it against the user on the server, >and the client app then asks you server for everything rather than >FaceBook. That on-device client app doesn't need to see any part of the >initial 'allow access' web browser flow, so again the secret can be kept >on the server. > >Unless I'm misreading. > >Tom
