Reputation: 10664
OAuth and obtaining shared secret securely
I am building a downloadable web application, which is packaged as a ZIP archive. When downloaded webmaster is taken through installer. As one step of the installer, he is asked to "register" his copy from the main site. After registration is successful I need to issue that particular copy of my software a shared key/secret for further API access through OAuth.
Please advise the most secure and correct way to do this. Again, here are steps:
- software is downloaded (same zip for everyone, cannot contain secrets)
- webmaster opens wizard (by pointing his browser at localhost)
- wizard redirect to example.com where user enters his credential
- user is then sent back to localhost along with
- oauth key
- shared secret
- in the future software can access API directly through OAuth token.
Another question is can I obtain token during the initial handshake or should I perform that step later.
Upvotes: 0
Views: 611
Answers (1)
Reputation: 118714
Have the web app itself perform the transaction itself, and then collect the secret directly. Don't have the users go to the external site.
Upvotes: 1
Related Questions
- OAuth clarification
- OAuth is not secure or I didn't understand it?
- OAUTH client secret security, localhost redirect URI and impersonation
- OAuth authentication client side security issues
- Securing API communication with Oauth
- OAuth - How is it secure?
- Hiding oauth secrets
- OAuth token security
- OAuth - Security against sharing Consumer Key/Secret and list of Access Tokens
- Best Practices for REST Shared Secret Value