Client OAuth implementation on devices with no permanent storage
https://stackoverflow.com/questions/7418539
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm implementing an OAuth consumer, which will run on various set-top-boxes. Some of them don't provide any means of storing user data permanently. When the STB is switched off, all data is lost (apart from firmware, of course). How can I store access tokens then? The demand is that user should authenticate only once and that the access tokens have long validity (until revoked by the user him/herself). So authenticating every time the STB is switched on is out of the question. Is OAuth in this case worthless? Can I use some other data (for instance MAC or some unique HW data) instead of access tokens? I know those can be spoofed, but I don't have any other ideas.
Ah, BTW, I'm implementing the server side (the service provider), too, but since it will be used by 3rd party consumers, too, I have to provide the "proper" OAuth for them, and can make some tweaks for my consumer application, since it is obviously a trusted one.
Thanks!
No correct solution
