You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by Michael Matthews <ma...@oclc.org> on 2012/05/22 20:43:26 UTC

Securing Oauth 1 secrets

I'm adding an OAuth 1.0 OAuthStore implementation to our OpenSocial
container so that gadgets can invoke services secured by OAuth 1.

I created a custom implementation of
org.apache.shindig.gadgets.oauth.OAuthStore and have it persisting all OAuth
1 data to a relational database. I'd like to make sure that all OAuth 1
secrets are encrypted. In our OAuth2 implementation, there was a
OAuth2Encrypter interface we implemented and it encrypted the OAuth2
secrets.  In the OAuth 1 implementation, is the OAuthStore implementation
responsible for encrypting/decrypting secrets as they're read/written to a
database?

Thanks
Mike

Re: Securing Oauth 1 secrets

Posted by A Clarke <cl...@gmail.com>.

Mike,

Your OAuthStore is responsible for encrypting/decrypting the secrets.

The OAuth2Encrypter interface is there because of the lessons learned from
writing custom OAuth 1 stores.



On Tue, May 22, 2012 at 2:43 PM, Michael Matthews <ma...@oclc.org> wrote:

> I'm adding an OAuth 1.0 OAuthStore implementation to our OpenSocial
> container so that gadgets can invoke services secured by OAuth 1.
>
> I created a custom implementation of
> org.apache.shindig.gadgets.oauth.OAuthStore and have it persisting all
> OAuth
> 1 data to a relational database. I'd like to make sure that all OAuth 1
> secrets are encrypted. In our OAuth2 implementation, there was a
> OAuth2Encrypter interface we implemented and it encrypted the OAuth2
> secrets.  In the OAuth 1 implementation, is the OAuthStore implementation
> responsible for encrypting/decrypting secrets as they're read/written to a
> database?
>
> Thanks
> Mike
>