0

I'm implementing an OAuth consumer, which will run on various set-top-boxes. Some of them don't provide any means of storing user data permanently. When the STB is switched off, all data is lost (apart from firmware, of course). How can I store access tokens then? The demand is that user should authenticate only once and that the access tokens have long validity (until revoked by the user him/herself). So authenticating every time the STB is switched on is out of the question. Is OAuth in this case worthless? Can I use some other data (for instance MAC or some unique HW data) instead of access tokens? I know those can be spoofed, but I don't have any other ideas.

Ah, BTW, I'm implementing the server side (the service provider), too, but since it will be used by 3rd party consumers, too, I have to provide the "proper" OAuth for them, and can make some tweaks for my consumer application, since it is obviously a trusted one.

Thanks!

paaro
  • 33
  • 2

1 Answers1

1

Can you have a web service on the server side (protected by SSL and digital certificate to make sure no one else can access it) that takes some unique MAC (or HW data) and returns the proper OAuth token to the STB?

So the flow would be: 1) STB boots up, sends unique HW data to server via web service to retrieve OAuth Token - If token exists, go to step 4 otherwise go to step 2 2) User does OAuth authentication at STB. 3) STB stores token in local memory and sends it via web service to server side along with some unique HW data 4) STB uses OAuth token to do normal functions 5) STB is unplugged, turned off, etc that makes it lose token from local memory Back to Step 1.

Issues to look out for: A) User returns STB since they no longer want service. You need to clear the token somehow in case another user gets that STB. You don't want new user getting old user's data B) STB break and user has to get a new one. Should they have to re-authenticate or would the token move over automatically to new unique HW data

Mark S.
  • 3,849
  • 4
  • 20
  • 22
  • I'm not sure about unique HW data, if it is available or not at all. If I use MAC, I'm concerned about MAC spoofing. If access token has indefinite lifespan and somebody somehow reads someone else's STB MAC, that could be quite dangerous. I will enforce SSL, but I'm not that familiar with the protocol itself. Can you intercept MAC address in encrypted HTTP packet? How is the answer from the server routed to the proper client (STB), if MAC is encrypted? – paaro Sep 14 '11 at 20:57
  • You really need to send the unique HW over SSL to a web service that is protected by a digital certificate. The SSL will hide the data and the certificate will ensure that no one can access the web service without your permission. The unique HW data (MAC, etc) will be in the data of the web service. Since the connection is SSL, no one will be able to snoop and get it. – Mark S. Sep 14 '11 at 21:19
  • When you mention a certificate, do you mean server or client side certificate? Server side certificate is mandatory, but we don't want to use client side certificates, as user can have more devices and it can become quite cumbersome handling with client certificates. – paaro Sep 14 '11 at 22:50
  • I'm talking about [web service message level security](http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss). The server will have special web service operations that only your STB can call. If the Web Service Security is not in the header, then it blocks the request. This stops third parties from hitting that web service. – Mark S. Sep 14 '11 at 22:57
  • Now this is something completely new to me. Are there any server-side (Java) and client-side (JS) examples or tutorials which might help me? – paaro Sep 15 '11 at 10:35
  • A [previous question](http://stackoverflow.com/questions/699254/jax-ws-consuming-web-service-with-ws-security-and-ws-addressing) has examples. – Mark S. Sep 15 '11 at 14:28