3

I'm designing an API server and client pair. Typically, I want the client to be in a WordPress plugin. I'd like to use OAuth or something similar to secure the requests. However, as you know, OAuth depends on secrecy of the client credentials and especially the client's secret. However, WordPress is open-source, so I cannot store the client's credentials in the code.

So, my general question: what are the options to secure such a system, in which you can't store the client's credentials because the client's code is open-source?

Improve this question
3
  • Why would the client credentials be stored in the code? Why wouldn't they be a configuration option for the end user to enter, and specific to each installation? Commented Mar 22, 2013 at 14:57
  • @Xander that's a possibility too, but still, they would be stored in plaintext, available to potentially untrustworthy people. Commented Mar 22, 2013 at 15:08
  • 1
    Expanded into an answer here: security.stackexchange.com/a/33058/12 If you want the WordPress site to be able to access the resource server without manual intervention, the client secret needs to be stored there somehow. It doesn't necessarily need to be plain-text, it could be encrypted and stored in the database, if you'd rather. Commented Mar 22, 2013 at 15:14

3 Answers 3

Reset to default
3

So typically is is exactly the sort of problem that OAuth was designed to avoid, not create.

You, as a resource provider, have created a system that you have decided to protect with OAuth, and a WordPress plugin that acts as a client to your system.

Bob, who has a WordPress site and who would like to use your system, installs the plugin into his WordPress site. Then, Bob visits your system, informs it that he would like to use it and requests access. The system then gives him a new, unique client secret. He adds the client secret to the plugin configuration on his site, and he can now connect to your service using credentials that are unique to him.

This way, every site that has installed the plugin is uniquely identifiable, and the client secret need never be known to anyone other than the single WordPress site that owns it.

Improve this answer
1
  • Aah, right, each wordpress site gets is own client token. That explains, I thought every plugin had its own token. Thanks a lot! Commented Mar 22, 2013 at 15:17
1

Even if the code was not "open source", hiding credentials in it would be a bad idea. Reverse engineering is good at finding secrets concealed in compiled code, however cunning the developer thought that was.

Your problem is about a machine trying to prove its identity to another machine. Let's call the first machine the "client". The client will need to "know something" which makes it distinct from any other machine; what Microsoft documentation tends to call "credentials". Regardless of how you do it, these credentials will be stored somewhere on the client, and are available in an automated way, because you want your client to be able to operate without active human supervision. Correspondingly, if the operating system is hostile or subverted, then you've lost.

So what you need is to store the credentials in a file protected by the operating system (i.e. with access rights which keep out intruders). You cannot do better anyway, at least not without throwing expensive hardware at the problem.

Improve this answer
3
  • But the problem here is that the user of e.g. WordPress might have access to the operating system, since WordPress is all open-source. So you're saying there is no way to build an OAuth client with WordPress? Commented Mar 6, 2013 at 14:50
  • 2
    Open source is really not at all the issue. "Open source" means that the source code is known. It is unrelated with the knowledge of authentication tokens like passwords. My mail/Web/SSH server is completely opensource (Linux throughout) and yet you cannot log in it because you do not know the password (which is not in the source code, which would be stupid, and not in the resulting binary, which would not be much more intelligent either). Commented Mar 6, 2013 at 14:53
  • But your server doesn't need the pass in plaintext, while the plugin would. Am I right? Commented Mar 7, 2013 at 7:18
0

The easiest way to achieve what you want is with a secured token, which although Pornin claims is expensive needn't be, especially as you actually have a pretty limited use case. For example a Yubikey is about $25. You could also just use a Raspberry Pi to hold credentials off of the server and configure it to perform encryption on demand. Most encryption schemes in use are secure against Chosen Plaintext Attack (CPA).

Improve this answer

You must log in to answer this question.