[aerogear-dev] iOS SDK for OAuth2

Bruno Oliveira bruno at abstractj.org
Tue Feb 3 07:04:21 EST 2015 

On 2015-02-03, Corinne Krych wrote:
>
> > On 02 Feb 2015, at 20:28, Bruno Oliveira <bruno at abstractj.org> wrote:
> >
> >
> > Good morning, I was reviewing our SDK for iOS and I have few questions:
> >
> > 1. For example at Shoot app. Why our users have to configure to insert
> > the app ID at Shoot-Info.plist and also insert the same app ID at
> > ViewController? I was just wondering that once the app ID is informed,
> > you don't need to inform it again.
> >
>
>
> good point go ahead if you feel like pull requesting, if not create a JIRA for 2.2 release

Sure will do!

>
> > 2. We have a note:
> >
> > "Because this demo securely stores OAuth2 tokens in your iOS keychain,
> > we chosen to use WhenPasscodeSet policy as a result to run this app you
> > need to have your passcode set"
> >
> > I think that's amazing, but at the same time we instruct our devs, to
> > insert the client secret hard coded into the app. Something like:
> >
> > let facebookConfig = FacebookConfig(
> >     clientId: "XXXXXX",
> >     clientSecret: "42",
> >     scopes:["photo_upload, publish_actions"])
> >
> > Doing the reverse engineering of the app, would permit me to get the
> > secret and mimic your FB app.
> >
> > So I would like to remove the need to input the same information twice
> > and encrypt the client secret using password based encryption.
> >
>
> Oki where do you want to store the encryption key? Keychain?

I think this is a good scenario for offline. The developer would be able
to insert the secret in clear text and based on the private key stored
in the Keychain, we encrypt it.

I will turn both in Jiras and this will be included for offline.

Thanks for the feedback

>
> > Let me know what do you think and I will start to file Jiras to myself.
> >
> > Note: This is not an issue specific to iOS. All the projects will get
> > the same love and feedback.
> >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

--

abstractj
PGP: 0x84DC9914

More information about the aerogear-dev mailing list