Is xAuth secure?

I am not a security expert and I am just starting to get into oAuth and the different ways social sites can be cross authenticated with social applications.  I have played with Facebook and Twitter using oAuth which work great for my blog other sites.

xAuth is interesting because it is basically the same thing as oAuth but skips the request_token and authorize steps.

xAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. See this for more details. – Twitter Documention

The problem, from what I know is, the “request_token and authorize” steps seem pretty important. This is where the user basically accepts the application requesting access.

Why is this cool? Well, imagine an on premise application (one that is behind the firewall) that wants to integrate with Twitter, LinkedIn or Facebook. It simply won’t work since none of those applications can call back into the site behind the firewall. xAuth would solve this.

Now, if an application is well known and the key is truly kept secret then I guess xAuth could be used. With a world of “leaks” and lack of employee trust, I simply can not see xAuth being a viable way to achieve authentication.

One thought on “Is xAuth secure?

  1. Pingback: Tweets that mention Is xAuth secure? » Balfes.net -- Topsy.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s