OAuth design for API without users permission

Question

I am developing an API that will be used by users of my customers. Here is what the flow will look like:

1. User of my cloud based service creates an API key.
2. User embeds the API key into their own custom applications.
3. User deploys the application to their own end users.
4. The application talks to our API.

I am looking for advice on how to secure this API. I see a few issues:

1. API key has to be embedded into the users application and is therefore vulnerable to being stolen and abused.
2. Once an API key is compromised, it can easily be disabled, but how will my users update their applications to use a new API key short of having to rebuild the application and redeploy.

Does anyone have any ideas on how to design this?

Answer 1

Two solutions that I can see to this, although I'm sure there are more..

1. Use oauth's RSA signature method, and implement a secure certification exchange of keys using your "cloud based service" as the exchange mechanism (or a public cert provider).

2. Implement a service that allows clients to "renew" their consumer key/secret automatically, but then secure that mechanism using RSA or some other public key encryption method.

Both of these are not easy, and would require your user's applications to "phone home" in order to update their consumer keys.

In the future I think OAuth 2 will provide at least protocol definitions for things like this, but for now, if you're using OAuth 1.0a, what you want to do doesn't really fit into the spec very well (i.e. you have to design much of it yourself.)