Of course, this just moves the problem elsewhere, as the application still has to authenticate against the NoseRub server...
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of [email protected] > Sent: Monday, March 30, 2009 10:30 AM > To: OAuth > Subject: [oauth] Re: Consumer secret and open source web applications > > > Some applications avoid revealing the consumer secret by storing it on > a server (not distributing it to users). A request for access would > be transmitted from the user's machine to a NoseRub server and then > from NoseRub to Twitter. The NoseRub server would sign the request. > Obviously this is a less distributed architecture. > > On Mar 28, 7:56 am, Daniel Hofstetter <[email protected]> wrote: > > We currently work on OAuth-based Twitter support for NoseRub (http:// > > noserub.com), and there the question has arisen, whether consumer > key/ > > secret could be distributed with the application to make this > > functionality work out of the box, i.e. without requiring the user to > > "register" his installation on Twitter. > > > > The specification (Appendix B.7. Secrecy of Consumer > Key,http://oauth.net/core/1.0/#anchor40) is a bit unclear about this > > topic. It doesn't explicitly say the consumer key has to be kept > > secret nor does it say the "secret" could be public... > > > > One possible issue I can see is that someone else claims to be > > "NoseRub", and after he got an access token he abuses it... > > > > So, how do others deal with such a scenario? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
