Reputation: 16256
OAuth - different consumer key for each consumer platform
We have developed a REST API which is consumed by two apps: one running on Android and one on iOS. The API is not public - we built the apps in-house.
Does it make sense to give a different consumer key to each different platform (e.g.: one for iOS on smartphone, one of iOS on tablets, one for Android on smartphones...)?
One advantage of having several keys is being able to easily do device segmentation analysis (however, that can be done in other ways).
Any strong point for one of the two strategies?
What are the advantages and disadvantages?
Thanks.
Upvotes: 2
Views: 245
Answers (2)
Reputation: 16000
In the context of OAuth, any application that runs on an end-user device (including iOS and Android devices) is known as a "public" client because the secret key is distributed along with the application.
This is in contrast to a server-side web application, in which the key can safely remain secret. Only permitted developers and operations staff have access to it. In the case of applications that are distributed to devices, even with obfuscation, it's impossible to guarantee that the secret won't be exposed to unauthorized parties (essentially anyone with your app in their pocket), effectively rendering the key publicly available.
Given that, there is very little significance, from a security perspective, for assigning unique client IDs and secrets to devices that access your API. A malicious developer could very easily use the public credentials to pose as an "approved" app.
As you note, you can use a client ID to do device segmentation, but there are other ways to do that as well, such as a User-Agent header that don't convey misguided security implications.
In summary, there is no real benefit to issuing unique client IDs to apps based on platform. However, it is important to consider how public clients factor into the security concerns when authorizing access to your API.
Upvotes: 3
Reputation: 1533
If you will make app developers to use several OAuth consumer keys for each platform then developers will not be happy! Developers will have to somehow manage these keys to your service. What if app developers need to reissue the keys? If they launching app on new platform? How much additional effort of you these developers will need to maintain the keys? Also, consider some platforms that you are not aware of: new mobile OSes, strange devices, unusual use cases. Do you want to limit and control all variants of uses of your service?
One of the reasons why you might still do that is that you can sell your API services separately for each platform (and probably with different prices).
Upvotes: 0
Related Questions
- Multiple oauth clients for the same api
- Client ID for Android application with different flavors
- OAuth - restrict to specific consumer
- How to authenticate the same user on multiple clients using OAuth2?
- OAuth 1.0 using Consumer Key and Consumer Secret in iOS
- OAuth Consumer Key vs. App Key
- Are Oauth consumer tokens and secrets user specific?
- OAuth consumer keys in plugins
- OAuth provider with multiple consumer keys for single app
- How to store consumer secret for two-legged OAuth provider?