An explanation on the OAuth protocol?

M

Maxim Ponomarev2012-01-26 13:56:57

API

Maxim Ponomarev, 2012-01-26 13:56:57

For many days now I have been understanding the OAuth protocol and I can’t fit one moment in my head:
Suppose I have a certain service with a REST API and an OAuth server. I create a desktop (or mobile) application, register it with an OAuth server, and get the app_id and app_secret generated by it, which I later use to get a token. Suppose my application will send a log of work to the service once a minute (using the POST method), and it should work 24/7 without human intervention, which means that I need a token that is perpetual. Further, I get a token and start working with the service. At the same time, as I understand it, both app_id and app_secret and the token must be stored somewhere. In the case of a desktop application, this is, for example, a configuration file or the Windows registry. Accordingly, this data can be compromised and used for bad purposes, for example, stupidly DDoSing my service with some third-party application.
Am I correct or am I wrong somewhere?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Sergey Cherepanov, 2012-01-26
@maxvipon

Losing app_secret is equal to losing a password from something.
If, for example, you steal the ssh key, then you can also get access to the server. Secret is our private key.

S

SergeyGrigorev, 2012-01-26
@SergeyGrigorev

Limit no more than 3 requests per second, as is done in the Vkontakte API. You can also check if the requests are too frequent - then invalidate the token, so the user will have to re-authenticate when he wants to use your application.

M

Maxim Ponomarev, 2012-01-26
@maxvipon

Sergey, thanks for the tip. I will look and look for something for WCF.