I'd like to run something past everyone to make sure I'm not missing something obvious that would make what I'm thinking of doing insecure.
I'm working on a web application with an iPhone app that goes along with it (we haven't launched yet). Our web application provides an API that the iPhone application uses. Our iPhone application is approved for and successfully using xAuth for signing users in. Once xAuth comes back, the iPhone application only stores the OAuth key/secret pair for the user. Our web application is only using standard OAuth for signing in - it doesn't accept usernames and passwords directly from users. I'd like to offer a simple and secure way for the iPhone application to not only authorize itself with our API, but identify the user making the request. Would it be wrong or insecure for the iPhone application to pass along the access key and access secret for the user on each API call to our web application? This would sufficiently identify the user and, if I'm understanding correctly, wouldn't be able to be used by anyone if intercepted because they wouldn't have our application's consumer key/ secret. Again, I could very well be missing something here in terms of how secure this approach would be, that's why I'm asking first. I appreciate any feedback on this plan. Thank you, in advance. -- Thomas Mango
