We're in uncharted territory here. At least I don't know of any working systems like this. So take my ideas with healthy skepticism.
Yes, a service provider should be able to unauthorize a consumer easily. But if the consumer is composed of multiple applications (sharing a token and secret), OAuth doesn't provide a way to unauthorize the applications individually. (You might consider this a reason not to have multiple applications work as one consumer.) I tossed out a half-baked idea that some entity within the mobile device might control access by applications individually. It would need a way to identify unauthorized applications. On Aug 20, 6:23 pm, Sunir Shah <su...@freshbooks.com> wrote: > > On 20-Aug-09, at 9:03 PM, John Kristian wrote: > > > If an application turns out to be malicious, I don't know how you can > > unauthorize it without unauthorizing other applications on the same > > device. Does Android provide some way for one software module to > > identify another, before cooperating with it? > > OAuth makes it easy to disable every single access token owned by a > compromised consumer at once. You have the consumer key when you > authorize the access token. You should store the consumer association > with the access token. Then it's only one query to blow away all the > compromised consumer's access tokens. > > > Is there some notion of > > a module being signed by the organization responsible for it? If so, > > you might create a module that mediates usage of the token and secret, > > and can refuse usage by blacklisted applications. > > If I understand your question correctly, signing an application is > irrelevant to the OAuth service provider, since you can fake any > signature over the wire. It's only possible for the device's operating > system to verify the signature because it has access to the > application binary. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
