So I've been reading some documentation on Oauth, and I understand the concept and the way Oauth works, but I am having trouble understanding something...
On the following website, I took this excerpt (see emphasis):
In everyday web transactions, the most common credential used is the username-password combination. OAuth’s primary goal is to allow delegated access to private resources. This is done using two sets of credentials: the client identifies itself using its client identifier and client secret, while the resource owner is identified by an access token and token secret. Each set can be thought of as a username-password pair (one for the application and one for the end-user).
So lets use Instagram as an example,
- Client = Instagram iPhone App
- Server = Instagram Server
- Resource Owner = Instagram User
My question is, how does the client store the client identifier and client secret inside the iPhone app when Storing passwords in iPhone applications is known to be completely insecure... Where does one store the client identifiers and client secret securely for oauth access?
