A short presentation given by Taras Filatov, director of Injoit.com at Londroid (Android in London, http://bit.ly/ciDOBF) Meetup on 17th of June 2010.
This covers some aspects of using OAuth in mob1serv (universal server API for iPhone and Android) and in general of OAuth for Android platform.
5. iGetScores
OAuth nonce / time zones problem
http://www.injoit.com/blog/2009/06/26/getting-to-know-oauth/
different time zones of players
caused OAuth to stop working
6. Mob1serv
http://www.mob1serv.com/
• Mob1serv is a SaaS suite providing a
single solution to all typical server side
tasks faced by mobile developers
• One library, 5 min installation
• Huge added value for end users:
Online High Scores, IM/PM (direct
messaging), Events Notification, GPS
location tracking, Banners Manager,
http://www.mob1serv.com/help/quick-install/
Facebook / Twitter / Google integration,
Files storage etc
• Serious business class service, no
annoying ads or 3rd party advertisement
8. OAuth in Mob1serv
http://www.mob1serv.com/oauth-contracter/
AUTHENTICATION EVOLUTION
1st version: Standard OAuth ‘3-legged’ scheme
* 2 keys: Consumer and Secret
* Application works with server through HTTP requests
(data is NOT encrypted, it is only signed with HMAC-SHA
hash)
* App sends Consumer Key and Consumer Secret to receive
Access Token and Access Token Secret
* App sends Consumer Key, Consumer Secret, Access Token,
NOW: improved scheme (simplified but more secure)
* Consumer Key replaced with Token
* All requests are signed with merged parameters hash +
Consumer Secret but Consumer Secret is NEVER
transmitted openly to avoid Man-in-the-middle attacks
* Timestamp and nonce are still used to avoid Replay attacks