Ok, so here's the background. I am working on a widget, which can be plugged into any website add some functionality to it. In order to authenticate against the API, I provide an client token, and a secret.
When the client widget authenticates it passes a client generated challenge string, the client token, and a hash which is calculated as hash(challenge+secret). Everything except the secret is available to the client.
This scheme is currently vulnerable to copying the challenge string, client token and hash and then reused on any other site. Currently, the only solution I can think of to resolve this is to use short lived (say 20 mins) server generated challenge strings and use those to generate a hash.thus only the client token and hash would be available to the client and that will only be valid for about 20 mins or so.
Is there any better way to do this?
Off the top of my head, one option would be to embed the domain name into the hash so that you can validate it is from the domain that is authorized to use the token. If it comes from any others send back an error. You might have to provide a mechanism for people to test on localhost or on development/staging domains but that seems minor overall.