Hi, I'm creating an OAuth API for my company. I've some questions about how to handle the security of it. Currently I give a token to each application which is registered. With this token applications can call the API for public requests, and can ask for a user token in order to do some actions for him.
When I receive a request with a token in parameters, I want to be sure that the request is sended by the right application. I want to avoid token thieves. So, for now when someone wants to create an application, he needs to tell what are the domains assigned to his application. And for each request, I watch if the origin, referer or host of the request corresponds to the domains assigned to the token parameter. If I use origin, referer and host, it's because my client app is a javascript application and I can't put a secret key in javascript to sign requests, because it's a secret ^^ But I am affraid that origin, referer and hosts of request can be modified by a third party. Am I right ? I've also some interrogations about how to keep that token system for mobile apps. Because as i'm doing verifications about referer, host, and origin, How can i keep a similar system with a application which doesn't have thes fields ? Thanks you all, I expect I was clear, i'm a little confuse :) Have a nice day ! -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to oauth+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
