@Zhihong consumer secret should be a SECRET. Yes if you are talking about a client like javascript then it's insecure but languages like Objective-C which deploy binaries should be secure.
I would say it's perfectly OK for iPhone/Objective-C authorization needs. Thanks, Monis On Jul 24, 7:24 pm, Zhihong <zhih...@gmail.com> wrote: > Mike, > > OAuth is different things for different people. OAuth proper (the 3- > legged flow) is not suitable for JAX-RS. However, we use OAuth signing > to secure all our API calls and HTTP redirects. Someone asked me about > using Jersey to make the OAuth-signed calls so we played around with > Jersey. It's pretty easy to plug OAuth in. On server side, you can get > all the parameters and headers, so you should be able to use Java > library to verify the signature. On client side, the Jersey Client > Library can be extended to support the signing. This would be an > interesting extension to add to the Java library. > > In my opinion, you don't add much security by using OAuth on client > because there is no way to keep the secret. However, many people still > do it. It may raise the hurdle for hacking a little, but not much. > > To answer all your questions, > > 1. No, unless you know how to keep the secret or you don't care about > security :( There is an Object-C library you can use. > 2. No for the same reason. Anyone can get your secret and make calls > just like your app. > 3. No but OAuth doesn't provide encyrption. If you need > confidentiality, you can use OAuth over SSL. > 3a. See #2. It can be used to validate user if you can get around the > security issue on iPhone. > 4. I have no idea. > 5. See #3 > 6. Function-wise, they have a tiny bit overlap (both handles > authorization) but the implementations are very different. REST > Identity Services is not restful at all. Most Liberty/OASIS protocols > use SOAP as the communication stack. REST Identity Services simply > removes SOAP but it still relies on heavy duty protocols like SAML, > XACML etc.You use REST for simplicity but this is not really simple. > So I would rather use the full Identity Services if I go that route. > > Zhihong --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
