Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store consumer secret for two-legged OAuth provider?

Tags:

security

password-protection

oauth

I'm implementing the provider side of a two-legged OAuth protocol for API authentication. We will provide the consumer with a consumer key and secret, which they will use to sign requests. The 2-legged OAuth is dictated by an interoperability standard, and thus a requirement.

The secret is sort of akin to a password, and I would never normally store a password as plain text (bCrypt or similar would be my normal choice). But because my provider needs access to the plain-text secret to verify the signature, it has to be either in some plain-text or reversible form.

I've considered the following options:

Store the secret as plain text

It's the most obvious solution, but if the database is compromised somehow, then all of the secrets will have to be changed. To me this solution is not ideal because it has all of the problems of storing a password in plain-text.

Apply reversible encryption (e.g. AES) with an encryption key stored elsewhere

This will provide some security, because if the database is compromised then the secrets will still be safe. But reversible encryption requires an encryption key, and the key has to be stored on the server. It means that if an attacker compromises the machine, then the encryption can be circumvented.

Is there something I haven't thought of?

Clarification Effectively it's using 2-legged Oauth as a single-signon system. The 'consumer' creates a request including the consumer key, a nonce, and several other parameters. The whole request is then signed by computing an HMAC-SHA1 with the consumer secret. When the request reaches our provider system, the process is repeated and if the signatures match then the request processing continues. We therefore need the plain-text secret to compute the HMAC-SHA1 signature on our side too. Unfortunately this mechanism is dictated by the industry-standard protocol that we need to comply with.

like image 428
Jonathan Avatar asked Nov 04 '22 23:11

Jonathan

1 Answers

Take a look at this previous question. I'm not an expert on the topic, but I think you're missing part of the equation. In addition to the consumer key and secret, you'll be verifying the application that's sending the request (using an x509 certificate if you're using RSA-SHA1).

like image 166
tex Avatar answered Nov 09 '22 11:11

tex
Sign in to Comment

Related questions

Document-Based Security in ASP.NET MVC
Microsoft Security Catalog Format Documentation and API Samples
User input filtering - do I need to filter HTML?
Code Access Security - Basics and Example
Implementing Security for Rss Feeds
Client Side Includes on HTML pages
ASP.NET: disabling authentication for a single aspx page (custom error page)?
How do I copy security information when creating a new folder?
Running as Admin, How do I check if some windows account has permissions to read a directory?
Pre-built login / authentication component for a php app?
Servlet filters for abuse prevention? (DoS, spam, etc)
How to secure my generic handler calls?
Securing SSJS against unverified code
Securing paths in PHP
How do you install a Mac OS X Security Auth Plugin?
Privacy & Security in user database [closed]
Creating a secure, web-based password management system with the ability to share data between users
Java security policy: granting access depending on classloader
Apache basic authentication with the username/password in the url
rails: mass-assignment security concern with belongs_to relationships

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!