I an using Django OAuth Toolkit and Django Rest for OAuth authentication for mobile app. For accessing any protected resource client id and secret of the app is required . Where should I store client secret. Storing in APK is unsafe as it can be decompiled. Even obfuscation can be reverse engineered . Then whats the best and safe way to serve client secret to the app.
Client secret for Django oauth
1.7k Views Asked by Ashish Gupta At
1
There are 1 best solutions below
Related Questions in DJANGO
- Display images on Django Template Site
- Protractor did not run properly when using browser.wait, msg: "Wait timed out after XXXms"
- Django invalid literal for int() with base 10:
- Removing URL features from tokens in NLTK
- Django Noob URL to from Root Page to sub Page
- Django Admin tables not displaying correctly
- Django with chartkick
- Django urls.py not rendering correct template
- django form errors before submit
- django admin: custom app_index with context
- Display multiple models in one view in Django
- Unexpected NoReverseMatch error when using include() in urls patterns
- Search for a key in django.core.cache
- Django webapp (on an Apache2 server) hangs indefintely when importing nltk in views.py
- Django flush won't load fixtures
Related Questions in OAUTH
- Using html5 localstorage instead of cookies with passport.js
- OAuth integration with QuickBooks using Scribe
- OAuth with Developer tokens
- Oauth in Tyrus WebSocket
- Accessing Picasa Web API using PHP
- how can I access user details through "oauth_token" from twitter api in ionic framework
- Is my JWT refresh plan secure?
- When to refresh token?
- SignalR oAuth on self host
- Bearer token in MVC controller to access Web API
- OAuthorization through app or web api
- Authenticating mobile app login using webservice using oauth connection
- Testing local rails application with OAuth
- Configure the authorization server endpoint
- Azure Active Directory Login: Web App Permissions, User Consent not triggered
Related Questions in DJANGO-AUTHENTICATION
- How the client gets api-key when using tastypie ApiKeyAuthentication?
- admin registered staff user can't login django admin, form registered staff user can't
- Cannot assign "'Mary'":"Aluno.mother_name" must be a "Aluno" instance. When I try to access field in subclass "Aluno"
- No module named 'backends'
- how to add db_index=True to email field of django auth_user
- Override django contrib auth locales
- Reverse for 'password_change_done' with arguments '()' and keyword arguments '{}' not found
- django-axes with custom user model
- What's reason for Django contrib.auth duplicated URL routes?
- Django-oauth is sending and receiving data without access token in ionic app?
- how to check access token validity in django oauth toolkit?
- Client secret for Django oauth
- Logging in does not work after authenticating with custom authentication backend
- Adding Password Requirements to Django's Admin Interface
- Custom Authentication for non-user connection with Django Rest Framework
Related Questions in DJANGO-REST-AUTH
- Django-rest-auth - Angular - 500 internal error
- Client secret for Django oauth
- is_authenticated returns True for logged out user
- CSRF_FAILURE_VIEW with Django rest framework does not work
- Angular 2 Login to Django Rest Framework Backend
- Create a serializer for custom user model in django-rest-auth?
- Email confirmations are not stored Django allauth
- 400 error when using email only method for authentication using django-allauth and django-rest-auth
- How to send customized response if the unauthroized credentials were provided in django rest
- My 'access_token' from facebook is "incorrect value"
- how to handle token authentication in Angular Dart?
- Facebook login/registration: Error validating verification code
- How to customize in django-rest_framework-knox LoginView
- Google authentication using django-rest-auth and allauth
- why django rest framework wants auth token for every request
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It isn't extremely important to keep the client id hidden, but you are right not to save the client secret somewhere in your app. Exposing it would definitely compromise your security.
In your case, you could set up an OAuth app that uses the Password Grant type (my personal preference), or have your user authenticate with your server which will grant them an expirey access token to use with future requests. These are two different "OAuth flows" that are common for mobile apps.
There's also this awkwardly titled slideshow which I thought had some useful illustrations to describe the use of OAuth with mobile apps.