Hacker News new | past | comments | ask | show | jobs | submit login

I use OAuth for an application written in PHP, and as such, there's no possible way to trust the client/secret, given that the source is not obfuscated in any way. This application talks to my own server, and the OAuth flow is basically just a way to avoid storing username/password combinations. The client key/secret have to be treated as permanently compromised, so the only thing I use those for is version usage statistics.

The question is, given that your key/secret will be compromised, is there any point in even having it in the OAuth flow?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: