Ansvelzw | Date: Saturday, 2013-08-03, 5:21 AM | Message # 1 |
Private
Group: Users
Messages: 8
Status: Offline
| secrets when making an OAuth API
We've implemented OAuth inside my API server at a standard consumer/user key/secret designer (the same way Tweets, Facebook, and so. do). I just expect 3 rd parties to get in touch to my favorite API, again in much the same as these typical APIs.
Normally, a customer would connect with an application token/secret (for example, you come up with a Facebook software package as a Facebook or twitter developer that are given back). However many times the client are unable to provide a magic formula for the request because the signal is executed in an insecure fashion. Mainly, I am <a href=http://www.barnetvt.org/nike.htm>ナイキ スニーカー</a> pertaining to Javascript libraries. For instance, developers shouldn't expose your application hidden secret in Javascript passcode because it is plaintext and is read by simply malicious users.
I've observed that Facebook avoided this problem. The actual developer <a href=http://www.gooddshop-jp.com/jordan.html>ジョーダン激安</a> must provide purely an application expression (not top secret) to the Javascript archives. I do not figure out how to provide a equivalent option for your API without basically making a library vulnerable. Namely, in the event requests think you are made by the Javascript client library to an API without the need for providing a wellsecured token/secret, how are requests authenticated because of the OAuth API?
Intellectually, the best solution I could consider would to enjoy some sort of small handoff <a href=http://www.yk-kogyo.jp/nike/>ナイキ ランニングシューズ</a> between the Javascript clientele library and therefore the API server in a HTTPS connection, so that you can return a real secret for that library to work with. I'm not really quite sure ways I'd get this handoff to not have spoofs, though.
Typically it is better which you can follow the quality than to execute some unique way. That implicit amount is the one particular you have seen on Flickr. In some cases, the patient identity are often verified over the redirection URI employed to deliver <a href=http://zensho-tankentai.com/wp-lv.html>ルイヴィトン</a> the connect to token towards client. All the access symbol may be <a href=http://www.harmonyforyouth.org/nike.html>エアマックス 95</a> confronted with the useful resource owner another applications because of access to the tool owner's useragent.
Acted grants increase the responsiveness in addition to efficiency involved with some consumers (such as a person implemented as an inbrowser application) because it reduces the range of round travels required to get an access gift.
it has certain security downsides.
But as very much as I can watch, the other strategies don't work for you, as they are sexy secrets to choose to the client (thirdparty web site owner) or <a href=http://www.aiboryo.jp/louisvuitton/>ルイヴィトン 財布</a> the powerful resource owner (client), so you should certainly stay with this unique.
http://www.aiboryo.jp/louisvuitton/ http://www.gooddshop-jp.com/jordan.html http://www.yk-kogyo.jp/nike/ http://zensho-tankentai.com/wp-lv.html http://www.harmonyforyouth.org/nike.html http://www.barnetvt.org/nike.htm Related Articles: <a href=http://battleofthecraft.com/memberlist.php?mode=viewprofile&u=12209>スニーカー 激安 904</a> <a href=http://htc-world.com/user/Ansvelzw/>ナイキ シューズ 631</a> <a href=http://allnewtorrent.ru/user/Ansvelzw/>ルイヴィトン 366</a> <a href=http://onlinetrev.com/userforumte/posting.php?mode=post&f=2>ルイヴィトン 財布 515</a> <a href=http://www.velocidadenaterra.com.br/forum/posting.php?mode=post&f=2>ジョーダン激安 567</a>
|
|
| |