I have an api which uses OAuth 1.0a to authenticate applications using it. It's replacing an old api which used a number of custom built and hodge-podge calls which are being deprecated.
It's well known that OAuth 1.0a is not secure in (client-side) Javascript since it relies on the consumer secret being kept secret. Which is not possible since the source is always viewable.
We have browser extensions for Chrome, Firefox, IE and Safari which need to use this api in the future. These extensions are all written largely or entirely in Javascript, and hence the problem of security.
These extensions are in-house and so can have custom authentication methods to get their access tokens.
What I'm planning on implementing is the following:
It operates under the following assumptions:
My question is, is this a secure method of restricting access to the api? Are there any better ones?
A couple of notes. I know for a fact that chrome extensions can ask for permission to access your cookies for a given site. I believe firefox extensions can do so too.
Obviously we don't want our cookies accessible via javascript on any page otherwise we'd expose ourselves to XSS attacks, so they need to only be accessible via extensions.
I wrote a site that does OAuth login via javascript library for OAuth. This is the workflow:
There is some more detail to this process, I can tell you more about it if you want me to.