Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [oauth]

56 questions
127
votes
4 answers

REST API security Stored token vs JWT vs OAuth

I am still trying to find the best security solution for protecting REST API, because the amount of mobile applications and API is increasing every day. I have tried different ways of authentication, but still has some misunderstandings, so I need…
CROSP
  • 1,548
  • 3
  • 11
  • 17
33
votes
5 answers

How do I store the OAuth v1 consumer key and secret for an open source desktop Twitter client without revealing it to the user?

I want to make a thick-client, desktop, open source twitter client. I happen to be using .NET as my language and Twitterizer as my OAuth/Twitter wrapper, and my app will likely be released as open source. To get an OAuth token, four pieces of…
Justin Dearing
  • 879
  • 1
  • 7
  • 18
26
votes
5 answers

OAuth2 ROPC vs Basic Auth for public REST APIs?

The specific use case I'm interested in here is authenticating REST clients against publicly-available server endpoints (such as a public REST API). The simplest solution here is Basic Auth. But I often hear OAuth2 touted as a superior auth solution…
smeeb
  • 4,820
  • 10
  • 30
  • 49
24
votes
4 answers

How should I architect a RESTful webservice to use 3rd party (i.e. Google, Facebook, Twitter) for authentication?

For my job we have a nice RESTful webservice we've built out that we use to drive a couple websites we have. Basically the webservice lets you create and work with support tickets, and the website is responsible for the front end. Any webservice…
Ralph Callaway
  • 373
  • 3
  • 8
13
votes
1 answer

How to handle per-resource (fine grained) permissions in OAuth?

I'm designing an app architecture using OAuth 2.0. I have a separate Resource Server and Authorization Server. The latter keeps a database of users and the scopes available to them. Now, my question is: How and where to store/model fine-grained,…
akavel
  • 361
  • 2
  • 9
9
votes
1 answer

Facebook authentication with an Authoritative Server for a Flash Game

I'm working on a multiplatform game in Flash. This game utilizes Photon Server for authoritative physics and user statistics tracking. I'm looking to leverage Facebook authentication as an alternative to creating a domain specific account. I'm…
Kody Manharth
  • 264
  • 2
  • 12
9
votes
1 answer

How should I handle a redirect to an identity provider during a web api data request

Scenario I have a single-page web app consisting purely of html, css, and javascript. After initial load and during use, it updates various views with data from one or more RESTful apis via ajax calls. The api calls return data in a json format.…
Erds
  • 193
  • 1
  • 5
8
votes
3 answers

OAuth alternative for a 2 party system

I'm writing a RESTful service (Java EE, Jersey) and a client application that communicates with it, and I wish to secure it and store any usernames & passwords dedicated in my own database. I do not want the client to store the username and password…
Alon Amir
  • 183
  • 6
7
votes
1 answer

Is OAuth 2.0 ok for building a container of applications?

I need to create a container app which contains several apps (imagine something like iCloud): once I've been logged in, I can see all the apps by means of icons, click on them and use them (a new tab/page is open and no login is required). The…
Bertuz
  • 417
  • 4
  • 10
7
votes
1 answer

Does it make sense to implement OAuth for a 2 party system?

I'm under the impression that OAuth is for authentication between three parties. Does it make sense to implement OAuth in a context where there is just a client and server. We have a server, and a client (HTML/javascript). Currently we authenticate…
nbv4
  • 1,552
  • 2
  • 11
  • 17
6
votes
1 answer

Client generated JWT

I'm working with a 3rd party company who are providing an API along with an unusual security approach. The security approach is essentially using a JWT by itself (no oauth). What's odd is that they're expecting us (the client) to create the token…
fml
  • 517
  • 4
  • 15
6
votes
1 answer

Performing client-side OAuth authorized Twitter API calls versus server side, how much of a difference is there in terms of performance?

I'm working on a Twitter application in Ruby on Rails. One of the biggest arguments that I have with other people on the project is the method of calling the Twitter API. Before, everything was done on the server: OAuth login, updating the user's…
Terence Ponce
  • 3,052
  • 3
  • 26
  • 33
6
votes
1 answer

iOS and Server: OAuth strategy

I'm trying to working how to handle authentication when I have iOS clients accessing a Node.js server and want to use services such as Google, Facebook etc to provide basic authentication for my application. My current idea of a typical flow is…
drekka
  • 1,269
  • 1
  • 9
  • 20
5
votes
1 answer

How can I build a seamless login for multiple sites using OAuth2?

The question is admittedly a bit leading, but what I mean to ask is: If a user logs into into site X, is there a way to automatically log into site Y? Site Y utilises single sign-on via OAuth2 service on site X, so a login via site Y would log you…
Julian H. Lam
  • 491
  • 1
  • 3
  • 13
5
votes
1 answer

Mask oAuth API key and token for pure client-side technologies

If I were to build a Twitter or Facebook application using pure client-side technologies like HTML and javascript, how would I mask/hide my API keys? For example, for Twitter I have consumer key and consumer secret. In order for me to call…
Sai
  • 151
  • 5
1
2 3 4