Using OAuth in Wordpress Plugin

Question

From everywhere I've read, I'm left with the impression that it is a bad idea to store consumer secret keys in open source code. So, I've set up an external proxy on another webserver to handle the request and access tokens.

So, once I receive the access token and secret from the provider, should I be saving those tokens on the external webserver, and poll the webserver with every request? Or, should I return these tokens to the user's Wordpress installation, where the plugin saves them to the user's database?

Thanks!

Answer 1

Save them to the user's wordpress installation, you will need to have some sort of identifier anyway on your proxy/relay endpoint to identify a plugin with an access token you have saved on your end.

If the access token should leak from the user's wordpress, it is still not usable without the consumer key that you are keeping safe on your end anyway. There is however the risk of a leaked access token being used to make authenticated requests via your relay endpoint. But you would have the same situation with another identifying mechanism.

If you really want to play it safe you could implement a simple cryptographic layer between the wordpress installation and your relay service. Say for example a SHA1 hash of the access token parameters, the URL, a timestamp, and yet another installation specific secret as salt. That would at least hinder a lost access token from being directly usable with your relay endpoint. Then the only attack vector that I can see is that the wordpress DB itself is compromised.