I suggest treating all the applications on one mobile device as one OAuth Consumer. They share one token and secret, stored in the mobile device, for each service provider. (They might also share software for obtaining authorization, signing requests etc.)
When a service provider asks the user for authorization, it should ask something like, "Will you permit any software on your mobile device to <access the service provider> on your behalf?" The user isn't authorizing a specific application. He's authorizing an open-ended set of applications that might use the shared token secret. It's more dangerous than normal OAuth. If an application turns out to be malicious, I don't know how you can unauthorize it without unauthorizing other applications on the same device. Does Android provide some way for one software module to identify another, before cooperating with it? Is there some notion of a module being signed by the organization responsible for it? If so, you might create a module that mediates usage of the token and secret, and can refuse usage by blacklisted applications. On Aug 19, 4:01 am, "Carl H." <charr...@gmail.com> wrote: > I am currently working on an OAuth provider for Android. As such any > application could use the OAuth application across the device > ecosystem. The idea would be that the OAuth application has already > been authorized to a majority of OAuth enabled sites and let other > application use that information for sending request to those sites. > As such it would be useful to have an API key per device instead of > per application. So each device (mobile user) would have its own key > which could be used by several application. > > For instance, I have a tweeter key used by several application (e.g. > jogging application A would send a tweet when finished, movie > application B would send a tweet when the user saves a movie, game > application C would send a tweet when a new record is reached). For > each of the above application, instead of having 3 api key (1 per > app), it would be better to have a single key for the device used > across the device. > > I understand the security restriction here but my OAuth app checks the > number of request and let the user deactivate any application which > would seem malicious etc... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
