Feasible to use OAuth & Twitter Reverse-Auth to pass OAuth Token and Token Secret?
The end goal of this part of my project is to be able to authenticate the mobile device not with Twitter's servers, but with my own web platform. Both use Twitter to authenticate, and I want to avoid hard-coding my Twitter application 'secret' into my iOS app. Here is what I'm thinking of implementing:
- Mobile Device: Using Twitter's Reverse Auth, obtain the OAuth Token and OAuth Token Secret
- Pass these two values to the web platform
- Web platform: Generate a non-reversible encrypted sum and stores in database as a shared 'secret' between the mobile client and the server
Pass this secret back to the mobile client, and store on the mobile device
From now on, every time the mobile device uses the web platform's API, it will match the shared secret with a user's data.
From an efficiency standpoint, I understand this places a load on the web server, but the two requirements that must be satisfied are...
- The OAuth Application Secret must not be hard-coded into the mobile application
- The mobile device must be authenticated with my web server using some secure means.
I would appreciate links to any resources regarding Reverse Authentication (I have seen Tim Cook's example git project) or general feedback.
Solved the problem by bringing up a UIWebView that redirects to our rails backend for authentication. Prevents the need for direct Twitter authentication on the mobile application (avoiding storing our app secret on the mobile side).