11

I'm looking at the oauth implementation twitter proposes here:

https://dev.twitter.com/docs/auth/oauth

and oauth libraries like signpost:

http://code.google.com/p/oauth-signpost/

they both talk about using the client secret during the oauth flow, which means for my client application, I'd need to store the secret in the application itself. This is probably risky as someone could grab the secret out of my app. Are there any methods around storing the secret within my app? Am I misunderstanding the oauth flow?

Thanks

user291701
  • 38,411
  • 72
  • 187
  • 285

1 Answers1

3

There are no ways of storing client credentials in a native or JavaScript application without making them practically public. Also, putting those credentials on a proxy server and having the client talk to the server (so that the credentials are not exposed) doesn't really solve anything either. Now you have a problem of authenticating the client to the proxy.

The right solution is to have special support for native applications provided by the OAuth service. OAuth 2.0 uses pre-registered redirection URIs and other techniques to accomplish a reasonable client identity verification for such clients.

Eran Hammer
  • 7,036
  • 3
  • 31
  • 23
  • 2
    Could you elaborate on that? I had quick skim of the draft - http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-9 - does this mean that native apps don't employ a 'client secret' when using OAuth? Could you describe the required flow? – Roberto Tyley Sep 26 '11 at 16:34
  • 3
    Native apps should not use a client secret because it has no real value and creates a fake sense of security. – Eran Hammer Oct 02 '11 at 06:45