{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 小情绪 Triste * 的问题《authentication in own mobile app》','https://www.manongdao.com/q-421748.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
About to open up a public api with OAuth access, no problem with that. Main site uses the api but with basic authentication instead (restricted for our internal ip range)
Next step is to plan a mobile application but how should one handle authentication there?
First thought was to create a special log in screen just for our appid to make it look like authentication (instead of authorization) but it would not be very hard to revers engineer our appid.
How does (for example) facebook handle log in within the facebook iphone app? Look and feel says they're using authentication but if so, how do they keep others from using it?
Suggestions appreciated.
I think you will find your answer in this document, and particular paragraph: http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-07#section-5.2.3.4