> But I am affraid that origin, referer and hosts of request can be modified by > a third party. > > Am I right ?
In OAuth 1.0a, the HOST HTTP header is included in the OAuth signature (if you are using the HMAC_SHA1 or RSA_SHA1 signature mechanisms. Origin and Referer are NOT included by default in the signature. Depending on how much control you have over the software doing the signature verification, you might be able to add other parts of the HTTP request to the signature verification. > I've also some interrogations about how to keep that token system for mobile > apps. Because as i'm doing verifications about referer, host, and origin, How > can i keep a similar system with a application which doesn't have thes fields > ? You can of course add known values (made up by yourself) to the HTTP OAuth requests made by your mobile devices. But a mobile device can't easily perform the web redirects needed for web-based OAuth. This is typically (but not optimally) overcome by "embedding" a web browser control inside your mobile app. Cheers, JohnK On Apr 17, 2013, at 4:39 AM, Adrien Blandin wrote: > Hi, > > I'm creating an OAuth API for my company. I've some questions about how to > handle the security of it. > Currently I give a token to each application which is registered. With this > token applications can call the API for public requests, and can ask for a > user token in order to do some actions for him. > > When I receive a request with a token in parameters, I want to be sure that > the request is sended by the right application. I want to avoid token > thieves. So, for now when someone wants to create an application, he needs to > tell what are the domains assigned to his application. And for each request, > I watch if the origin, referer or host of the request corresponds to the > domains assigned to the token parameter. > If I use origin, referer and host, it's because my client app is a javascript > application and I can't put a secret key in javascript to sign requests, > because it's a secret ^^ > > But I am affraid that origin, referer and hosts of request can be modified by > a third party. > > Am I right ? > > I've also some interrogations about how to keep that token system for mobile > apps. Because as i'm doing verifications about referer, host, and origin, How > can i keep a similar system with a application which doesn't have thes fields > ? > > Thanks you all, I expect I was clear, i'm a little confuse :) > > Have a nice day ! > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to oauth+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to oauth+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
