Oauth client-side security

79 views
Skip to first unread message

brent lingle

unread,
May 12, 2012, 12:46:31 PM5/12/12
to Tumblr API Discussion
Is it unsafe to expose the api Oauth key in a client-side ajax call?
It seems that an unscrupulous user could see this key and wreak havoc
on your app/blog.

Here is an example,

$.ajax({
type: "GET",
url: "http://api.tumblr.com/v2/blog/brentisyourfriend.tumblr.com/
info",
dataType: "jsonp",
data: {
//is it unsafe to expose the #api_key in a client-side ajax
call?
api_key: "#api_key",
jsonp: "blogInfo"
},
jsonpCallback: 'blogInfo',
success: function(data, status, jqXHR) {
$("#info").html("<h1>" + data.response.blog.title + "</h1>" +
"<ul><li>Number of Posts: " + data.response.blog.posts +
"</li>" +
"<li>Blog Name: " + data.response.blog.name + "</li>" +
"<li>Description: " + data.response.blog.description + "</
li>" +
"<li>Url: " + data.response.blog.url + "</li></ul>");
},
error: function(jqXHR, status, error) {
alert(status);
}
});

brent lingle

unread,
May 12, 2012, 1:31:52 PM5/12/12
to Tumblr API Discussion
To answer my own question, and the others regarding this nature.

It is VERY unsafe to expose your api_key, or secret key through
Javascript.

It gives anyone who knows it permission to create applications or
break you application using your identity.

So, other than a few fringe cases, leave this to the Server.

Thanks.
Reply all
Reply to author
Forward
0 new messages