[aerogear-dev] iOS SDK for OAuth2
Bruno Oliveira
bruno at abstractj.org
Mon Feb 2 14:28:33 EST 2015
Good morning, I was reviewing our SDK for iOS and I have few questions:
1. For example at Shoot app. Why our users have to configure to insert
the app ID at Shoot-Info.plist and also insert the same app ID at
ViewController? I was just wondering that once the app ID is informed,
you don't need to inform it again.
2. We have a note:
"Because this demo securely stores OAuth2 tokens in your iOS keychain,
we chosen to use WhenPasscodeSet policy as a result to run this app you
need to have your passcode set"
I think that's amazing, but at the same time we instruct our devs, to
insert the client secret hard coded into the app. Something like:
let facebookConfig = FacebookConfig(
clientId: "XXXXXX",
clientSecret: "42",
scopes:["photo_upload, publish_actions"])
Doing the reverse engineering of the app, would permit me to get the
secret and mimic your FB app.
So I would like to remove the need to input the same information twice
and encrypt the client secret using password based encryption.
Let me know what do you think and I will start to file Jiras to myself.
Note: This is not an issue specific to iOS. All the projects will get
the same love and feedback.
--
abstractj
PGP: 0x84DC9914
More information about the aerogear-dev
mailing list