Re: [oauth] OAuth design for API without users permission

[Lukas Rosenstock]

Hi Eric!

If there's no user authentication, you can use two-legged OAuth. That means
there's only consumer credentials but no token credentials.

If the application is not hosted somewhere but deployed and installed at
their user's, there's as far as I know no way to securely integrate consumer
credentials. Unfortunately I think it's difficult to give you advice
regarding key management, e.g. replacing compromised keys, without knowing
the exact circumstances.

Regards,
 Lukas Rosenstock

2010/7/30 Eric J. Smith 

> I am developing an API that will be used by users of my customers.
> Here is what the flow will look like:
>
> - User of my cloud based service creates an API key.
> - User embeds the API key into their own custom applications.
> - User deploys the application to their own end users.
> - The application talks to our API.
>
> I am looking for advice on how to secure this API. I see a few issues:
>
> - API key has to be embedded into the users application and is
> therefore vulnerable to being stolen and abused.
> - Once an API key is compromised, it can easily be disabled, but how
> will my users update their applications to use a new API key short of
> having to rebuild the application and redeploy.
>
> Does anyone have any ideas on how to design this?
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.

Re: [oauth] SSL Gateway Service provider

[Lukas Rosenstock]

Interesting idea, don't know if that exists. But my question would be in
which scenarios an encrypted tunnel should be easier to configure compared
to installing an SSL certificate on the webserver itself?!

2010/7/30 Jake 

> Hello,
>
> Does anyone know of a service provider that offers SSL termination
> services that tie back to the application via secure tunnel instead of
> another SSL connection?  The idea is off load all the SSL work to the
> service provider and just connect back to the application via an
> encrypted tunnel to avoid supporting the SSL connection cycle on our
> infrastructure.  Akamai kind of has something but they connect back to
> the origin servers via SSL which kind of kills the idea.
>
> I have no idea if this exists but am curious.
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "OAuth" group.
> To post to this group, send email to oa...@googlegroups.com.
> To unsubscribe from this group, send email to
> oauth+unsubscr...@googlegroups.com .
> For more options, visit this group at
> http://groups.google.com/group/oauth?hl=en.
>
>


-- 
http://lukasrosenstock.net/

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.