Is xAuth secure?

I am not a security expert and I am just starting to get into oAuth and the different ways social sites can be cross authenticated with social applications.  I have played with Facebook and Twitter using oAuth which work great for my blog other sites.

xAuth is interesting because it is basically the same thing as oAuth but skips the request_token and authorize steps.

xAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. See this for more details. – Twitter Documention

The problem, from what I know is, the “request_token and authorize” steps seem pretty important. This is where the user basically accepts the application requesting access.

Why is this cool? Well, imagine an on premise application (one that is behind the firewall) that wants to integrate with Twitter, LinkedIn or Facebook. It simply won’t work since none of those applications can call back into the site behind the firewall. xAuth would solve this.

Now, if an application is well known and the key is truly kept secret then I guess xAuth could be used. With a world of “leaks” and lack of employee trust, I simply can not see xAuth being a viable way to achieve authentication.

1 thought on “Is xAuth secure?

  1. Pingback: Tweets that mention Is xAuth secure? » --

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.