When using the twitter API, I came across that oauth_signature, which is basically a hash (body request + request parameters + nonces / timestamps + a consumer_secret). consumer_secretknown only to the application that sends the request.
In the case of Twitter:
- All messages MUST run over SSL.
- twitter gives
consumer_secreteach authorized application.
Since the primary use oauth_signatureis to prevent MITM (i.e. no boobs (fake on transition) :), it seems to me that this particular use case can be resolved via mutual SSL
- Instead of issuing Twitter, Twitter
consumer_secretcan issue SSL certificates for each application.
Although this idea of client ssl certificates might seem like an online arch of the 1990s, it was unsuccessful in large part because of problems with checking the trust chain for client certificates. This problem does not occur here because twitter will be the only publisher and certificate verifier. The disadvantage would be a much more active participation in Twitter to create the initial ssl certificates for applications / clients, but the gain would be in the simplicity of the REST API, which can be based on the guarantee that the client is who he says himself.
Please note that twitter is just an example in this case. AFAIK, most other oauth developers use a similar strategy, and the points here apply to any large-scale OAuth developer that already requires SSL.
? ?