OAuth without browser and SSL / challenge-response model

We have a plan for developing a mobile application using REST-ful. We want to apply OAuth 1开发者_Python百科.0a not OAuth 2.0 because we don't use SSL. We also don't want to use web browser (we think PIN-based UX is not friendly). We know it's impossible with normal OAuth flow.

I am not an expert in security architecture but I google on the Net and see someone has a implemention using a method login like challenge-response model.

If our app don't need to keep username secure and users trust us with inputting their password in our app, can this method being use to exchange access token? Is there any flaw?

1. After server response unauthorized request token, client begin challenge-response flow.

2. Client send request to http://www.example.com/login, with parameter like OAuth require: oauth_consumer_key, oauth_token, oauth_signature_method, oauth_timestamp, oauth_nonce and the additional username parameter username="username", the password parameter calculated from the user's password (which is stored in server), oauth_nonce with KDF key derive function/hash function. Client calculate request signature with OAuth description but send the request with the parameter username and other required parameters after omitted the password parameter.

3. Server check the request and return access token.

I believe what you are describing is very similar to Twitter's xAuth except you are planing to use your own client side encryption of the password and not SSL.

I would read their xAuth documentation to see a tried and tested method and consider using SSL for the token request step.