Some applications avoid revealing the consumer secret by storing it on a server (not distributing it to users). A request for access would be transmitted from the user's machine to a NoseRub server and then from NoseRub to Twitter. The NoseRub server would sign the request. Obviously this is a less distributed architecture.
On Mar 28, 7:56 am, Daniel Hofstetter <[email protected]> wrote: > We currently work on OAuth-based Twitter support for NoseRub (http:// > noserub.com), and there the question has arisen, whether consumer key/ > secret could be distributed with the application to make this > functionality work out of the box, i.e. without requiring the user to > "register" his installation on Twitter. > > The specification (Appendix B.7. Secrecy of Consumer > Key,http://oauth.net/core/1.0/#anchor40) is a bit unclear about this > topic. It doesn't explicitly say the consumer key has to be kept > secret nor does it say the "secret" could be public... > > One possible issue I can see is that someone else claims to be > "NoseRub", and after he got an access token he abuses it... > > So, how do others deal with such a scenario? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
