Nowadays its normal for users to PUSH/PULL data TO/FROM 3rd party Web Applications to your Website.
eg: Facebook LIKE button
USE CASE
1. A User (or You on behalf of the User) wants to login to their account
on a 3rd party Web Application and pass data to your Web Application?
eg: Tweet from your website using their twittername
Check their Gmail from your website
QUESTION:
Can a user submit their Login Credentials via your WebApp and expect you to securely handle their Sensitive Data?
How does your Web App Authorise & Store their Login Credentials?
How does your website make Requests based on Their Login Credentials?
ANSWER:
OAuth v1 or v2
WIth an OAuth Client connecting to an OAuth Server, we can solve the above USE CASE.
Study the above Diagram for an Overview of OAuth v1
When you're ready to connect to 3rd party Web Apps...read their DOcumentation of their implementation of OAuth since methods and names may change.
Client Side implementation of OAuth
With Browser side code you have no way of PREVENTING people from seeing your Secret 'oauth_consumer_key' and 'oauth_toke_secret'.
StackOverFlow.com Article StackOverFlow Article 2
Read the following Very Interesting Article for some ideas to solve Client Side OAuth implementation Security Problems. http://derek.io/blog/2010/how-to-secure-oauth-in-javascript/
Note:
You should also understand
SAME-ORIGIN POLICY
SAME-OROGIN POLICY 2
JsonP
eg: Facebook LIKE button
USE CASE
1. A User (or You on behalf of the User) wants to login to their account
on a 3rd party Web Application and pass data to your Web Application?
eg: Tweet from your website using their twittername
Check their Gmail from your website
QUESTION:
Can a user submit their Login Credentials via your WebApp and expect you to securely handle their Sensitive Data?
How does your Web App Authorise & Store their Login Credentials?
How does your website make Requests based on Their Login Credentials?
ANSWER:
OAuth v1 or v2
WIth an OAuth Client connecting to an OAuth Server, we can solve the above USE CASE.
Study the above Diagram for an Overview of OAuth v1
When you're ready to connect to 3rd party Web Apps...read their DOcumentation of their implementation of OAuth since methods and names may change.
Client Side implementation of OAuth
With Browser side code you have no way of PREVENTING people from seeing your Secret 'oauth_consumer_key' and 'oauth_toke_secret'.
StackOverFlow.com Article StackOverFlow Article 2
Read the following Very Interesting Article for some ideas to solve Client Side OAuth implementation Security Problems. http://derek.io/blog/2010/how-to-secure-oauth-in-javascript/
Note:
You should also understand
SAME-ORIGIN POLICY
SAME-OROGIN POLICY 2
JsonP
No comments:
Post a Comment