> Kris - Can you clarify why phones can't protect the client secret? This
> sounds like it would be a major issue for a lot of people.
Mobile apps on phones like iPhone are installed apps, and it is not possible as
far as I know to prevent the client secret from being extracted – you have to
Thanks for all the recommendations, everyone. It looks like the best
solution is to just filter out the password from the post data before
logging it.
In my system, only pre-approved clients can use the password grant type,
similar to how Twitter approves access to their XAuth system on a per-clie
Hey Aaron -
Here's some more research and recommendations for you:
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html.
I agree with the other recommendations on this thread, probably not a
good idea for you to invent a hashing scheme for
Hi Aaron,
In usual security senses, just hashing or salting the on-wire passwords will not
improve security against credential stealing (both on-wire and local), because
stolen hashed password will allow accesses to the resources.
# At least theoretically, we can say that it "weakens" the securit
Aaron,
Actually, I never fully understood the "password" access grant type, as
technically it is against the very spirit of OAuth, which, I thought,
was to avoid divulging the password.
TLS provides confidentiality, and so you ought to be able to rely on
TLS, although I have no idea what kin
If it is https you aren't sending the password unencrypted. You shouldn't be
logging post params unfiltered. You should have a per user random salt you are
hashing the password with, which would make it hard for you to hash it on the
phone without making a separate call to lookup the salt for th
When a user logs into your website with a login form, do you POST their
password in plaintext over HTTPS ? Most websites do, and the security of the
"password" grant type is equivalent to that.
If you only allow POST requests to that endpoint, then it should generally keep
the password out of m
Hi folks,
I'm implementing OAuth 2 for my project (geoloqi.com) where I have some
mobile phone clients needing to authenticate. I'm using the "password" grant
type for these clients. Even though the call to the token endpoint is going
over HTTPS, I'm still slightly concerned about sending the user
