Menu
I am developing an OAUTH 2 REST API for a website I am working on. We have an official native mobile app which uses this API and is planning to make the API open to third party developers.
Our native mobile app will be having more permissions than the 3rd party apps. I am doing that by setting permissions based on client id or app id.
I am using password grant type for the official app and implicit grant type for the 3rd party apps.
But the problem is that as we are not using a client_secret in either cases a 3rd party may be able to get elevated permissions by somehow stealing our official client_id and using it to get access to the elevated permissions in the API which is exclusive to the official app.
Is there anyway to prevent them from doing that ? How does the Official Facebook or Twitter app do it ?
547
you can use tokens that is a hash of this information (client_id, Official app, day, ...) for the application
the 'Day' in order to get every day a new token that minimize the risque
and this tokens for 3rd party (client_id, 3rd party, ...)
So in your API add a function to get information from tokens
All Requests from Api have to be over SSL which are then validated at server to decide if the request is to be processed/dropped.
128
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
