Reputation: 305
2 legged oauth in a web app exclusively for it's accompanying iphone app?
I'm a newbie to iPhone development, and was wondering what is the standard way to do 2 legged oauth. I've landed on 2 legged oauth, as this app is basically another interface to my web app (like a twitter / facebook app for iphone), so after doing a bit of research I decided that a 2 legged oauth would get the job done for me instead of a 3 legged.
I'm not entirely clear about how 2-legged oauth works, but specifically what I'm not clear about, is how the public/private key is managed per user (per iphone). I believe that having the same public/private key on each iPhone won't be a good idea. Ideally shouldn't every iphone have a different private key? If all iPhones have the same public+private key, then does it not become very easy for anyone to get hold of these and start making arbitrary requests from anywhere ? Also, how would I be able to know which user is making these requests ? Is it a good idea to send some sort of token (just like a cookie with session info) with every request ?
It would be great if someone could shed more light on the current industry standards, as to how iphone apps get around this.
Thanks a lot..
Upvotes: 2
Views: 315
Answers (1)
Reputation: 15492
Problem with Two-legged OAuth per se, is storage of Client access and secret key. The secret key in Oauth ( as far as I understand ) shouldn't be transferred through HTTP(S). Which means you have to store it inside the app, which makes it very likely to be reverse engineered and found.
I'd suggest using HTTPS first, use something simple like this http://matteomelani.wordpress.com/2011/10/17/authentication-for-mobile-devices/
Oauth will enable other Client Applications to be able to connect/consume the API of your Rails application, but the "secret key" issue kills it when you use it mobile apps to consume your own API. When you consume using facebook or twitter or other Oauth providers from your mobile apps, the secret key is still in your backend, to process/authorize the tokens / codes.
Also this has been my experience so far, its not exactly a definite answer, may be some else can shed more light on it as well.
Upvotes: 1
Related Questions
- Rails API: Authenticate users from native mobile apps using username/password or facebook token
- Two-Legged OAuth and Private API?
- Rails api and native mobile app authentication
- Implement Oauth2 together with own app
- Three legged oauth flow on mobile app
- Third Party OAuth sign-up and login integration for mobile app
- Authenticating an iPhone app with web backend
- Secure Authentication: Rails WebApp and iOS App
- How to authenticate iOS/iPhone users with remote web application and re-use authentication ticket in future requests to the same web application?
- Using OAuth as Rails webapp API authentication?