668
edits
Changes
→Designs of OAuth Consumers
== Designs of OAuth Consumers ==
While data hosts that offer OAuth are consistently web-based services, e.g. Facebook, consumers of OAuth services vary, and this variation can affect the preferable OAuth implementation path.
=== Web-based ===
The typical OAuth architecture involves a web-based data host, e.g. Facebook, a web-based consumer, e.g. FarmVille, and a user accessing both the data-host and the consumer services via a typical web browser with no special capabilities. The most important property of this setup is that the consumer sits on a controlled server and can easily maintain the secrecy of its authentication credentials.
=== Device-based ===
In some cases, e.g. desktop software or mobile-device apps, the consumer is not hosted on a remote server. Instead, rather it is hosted runs entirely on each user's device. In this scenario, it is not possible for the data host to truly authenticate the consumer: an attacker can extract all secrets from the software binary. Closed-source software distributed in a tightly controlled environment, e.g. iOS apps, have an inherent advantage here if they wish to keep secret credentials: though it is still possible to extract secret credentials, it's a good bit more difficult.
=== Hybrid ===
