On Fri, Aug 23, 2013 at 7:38 AM, Nicolas Vervelle <nvervelle(a)gmail.com>wrote;wrote:
The best
workaround now is probably to have each user register their copy
of your desktop application as its own consumer. It's a little ugly
having
to give your user instructions on cutting and
pasting tokens and keys
around, but it can work (in the early days of Salesforce, several OAuth
apps were configured this way).
Seems very complex for users, so I won't go that way for WPCleaner.
Is it possible to use only one client, with the secret key included in the
distribution ?
(A user with enough determination will be able to extract it)
This would mean that there's not 100% certainty about the client being the
true one.
But, the attacker would only be able to impersonate the application, not
the user.
Unfortunately, no. This is one of the subtleties of OAuth 1. Since we don't
require HTTPS for getting the user token, or using a user token, it's
possible to impersonate a user by compromising the consumer's secret key if
the attacker has also been able to sniff traffic generated by that consumer
also.
It does sound like the current iteration of the extension may not be the
best fit. But it's good to know about these use cases, so we can set
priorities for future development.