[twitter-dev] Re: Open Source CMS Module and Consumer Secret
I have the same question. I need to add Twitter OAuth to my widely distributed PHP based open-source CMS add-on. All the documentation says never ever distribute your consumer secret, which I understand why this would be a bad idea. Yet all of the documentation/examples I have found require that the consumer secret be hard-coded into the source. The closes thing I have found, that doesn't require the consumer secret embedded in the source, is a description of how it might work, http://groups.google.com/group/twitter-development-talk/browse_thread/thread/c18ade9d86c8b239 But, I cannot find any docs/examples where this scenario has actually been implemented. On Jul 23, 6:06 am, MindcrimeNL hostmas...@gab-ev.de wrote: I'm sorry if this has been asked before: I've written a twitter module for ClanSphere Clan CMS and I'm now converting it to use OAuth. I finally got it working, but I have question about theConsumerSecret. I registered the application under my twitter account and obtained aConsumerKey andConsumerSecret. The module is (will be) publicly available for download and webmasters just have to install the module in their own ClanSphere Clan CMS to be able to use it and make it possible for all users on their website to post tweets via that module. But, to prevent the hassle of all these webmasters, so that they not need to register an application on their own and install their ownConsumerKey andConsumerSecret. How do I make it possible that every can make use of my registered application? As I understand from the name, theConsumerSecretis secret, so I should not distribute it to the community... Every user should (as access tokens currently don't expire) only need to allow my application only once, in order to be able to use the twitter module: An application would like to connect to your account The application ClanSphere Module by Mindcrime, Geh aB Clan would like the ability to access and update your data on Twitter. Not using Twitter? Sign up and Join the Conversation! ALLOW | DENY Sorry, but a lot of the webmasters, using CMS systems, don't know anything about code/PHPand are just capable of uploading some files... I would not like to think that I have to explain to them how to register the application in Twitter and change the code in the correct place... How can anyone make a public module that way? Thanks for the help...
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
Correct me if I am wrong, but doesn't Twitter risk loosing a large percentage of their third party open-source developers, by not having a solid solution for the required OAuth security changes in time for the deadline? I can only guess, but, I would think that the open-source segment would count for quite a large number of independent developers, all eager to build for and promote the Twitter vision. Michael On Jul 27, 8:59 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Folks, There are a few hold ups to rolling this out more widely, the most pressing being that we are currently unable to serve SSL content on dev.twitter.com-- there are also better solutions than this rudimentary one that we simply can't implement yet. We're also concerned with releasing (and supporting) a solution widely that we'll soon want to deprecate. Taylor On Tue, Jul 27, 2010 at 8:53 AM, Cameron Kaiser spec...@floodgap.comwrote: I have the same question. I need to add Twitter OAuth to my widely distributed PHP based open-source CMS add-on. All the documentation says never ever distribute your consumer secret, which I understand why this would be a bad idea. Yet all of the documentation/examples I have found require that the consumer secret be hard-coded into the source. The closes thing I have found, that doesn't require the consumer secret embedded in the source, is a description of how it might work, http://groups.google.com/group/twitter-development-talk/browse_thread... But, I cannot find any docs/examples where this scenario has actually been implemented. It does exist. While I can't speak for Twitter and whatever internal issues are slowing up its rollout, TTYtter has been a test bed for the key exchange for some time now. Most of the users have found the process painless. You can see how a sample workflow works in the documentation, or try it yourself. The app itself is open Perl. http://www.floodgap.com/software/ttytter/ I'm sure Taylor will comment on what will be happening to roll it out to more potential consumers. -- personal: http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- People are weird. -- Law Order SVU ---
[twitter-dev] Re: Open-source, distributed PHP app and consumer secret
So, I think the solution has to be that the user downloads my app, installs it on their site, then registers my app as their own app with dev.twitter. After which, they will receive their own key secret pair. They will then input their key secret pair into my app which is living on their site, stored in some configuration file or database settings table. This way I don't distribute my secret. They will have to store their own key secret pair, but this wouldn't be different than a site with its own proprietary solution. The only stick point is that I will not get any branding rights on their posts/tweets, as they will have registered the app as their own and will be in control of the post branding. The other option is to host a tweet service somewhere in the cloud. My app, installed on their site, would point to the service and they would have to grant permission to the service to make the tweets to their accounts. I like this second solution because it seems cleaner for the end user to set up and get running. However, this would mean that I would then be responsible for maintaining a service. And frankly, that sounds like a drag on resources. These two are the best solutions I can figure given the circumstances. Normally, I would wait for Twitter to get this sorted, however, I don't want to risk disappointing my user base when the August 16th deadline rolls around. Does these solutions sound viable or am I all wet? Pros, cons, alternatives? Thx. On Jul 27, 7:18 am, Decklin Foster deck...@red-bean.com wrote: Excerpts from Michael Babcock's message of Mon Jul 26 19:28:15 -0400 2010: So, I after spending the day looking through documentation, developer's discussion and testing various OAuth code bits, it is my understanding that there is no secure OAuth solution for open-source PHP developers. But, the August 16th deadline is still looming. I am also concerned about this. Here is the response I got from support: we're continuing to experiment with this feature, and have not made it available further. I apologize for the delay and inconvenience, but keep an eye on our developer talk group for future announcements. I have been watching this list for about a month (prior to checking with support) in case the feature is discussed here before being announced. @twitterapi, could we get some clarification on whether or not something will be ready before the August 16 deadline?
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
Sorry for the confusion. I mean web application developers. There are quit a number of open-source web apps for twitter. Besides standalone apps, there are also, add-ons for all the various CMS solutions out there, written in PHP, Perl, etc. On Jul 27, 2:02 pm, M. Edward (Ed) Borasky zn...@borasky- research.net wrote: There are plenty of open source *library* developers, and plenty of applications that use open source libraries, but not all that many open source full applications. The only ones I can think of at the moment are Gwibber (Gnome), Choqok (KDE), mine (Social Media Analytics Research Toolkit), Spaz, get2gnow, and ttytter. IMHO Choqok and Gwibber are lame - I use CoTweet or Twitter.com on my desktop and mobile.twitter.com, Twitter, Twidroid, Seesmic, Touiteur and Peep on my HTC Verizon Droid Incredible. The Twitter piece of Social Media Analytics Research Toolkit is at the moment read only, and as I noted earlier the main reason I even looked at oAuth was to get the 1500 (read) API calls per hour. Given the small number of users I have at the moment, it wouldn't be all that difficult to upgrade them to oAuth and 350 calls per hour one at a time by hand - all that would be required is to license that piece of code separately. ;-) -- M. Edward (Ed) Boraskyhttp://borasky-research.nethttp://twitter.com/znmeb A mathematician is a device for turning coffee into theorems. - Paul Erdos Quoting Michael Babcock mjet...@gmail.com: Correct me if I am wrong, but doesn't Twitter risk loosing a large percentage of their third party open-source developers, by not having a solid solution for the required OAuth security changes in time for the deadline? I can only guess, but, I would think that the open-source segment would count for quite a large number of independent developers, all eager to build for and promote the Twitter vision. Michael On Jul 27, 8:59 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Folks, There are a few hold ups to rolling this out more widely, the most pressing being that we are currently unable to serve SSL content on dev.twitter.com-- there are also better solutions than this rudimentary one that we simply can't implement yet. We're also concerned with releasing (and supporting) a solution widely that we'll soon want to deprecate. Taylor On Tue, Jul 27, 2010 at 8:53 AM, Cameron Kaiser spec...@floodgap.comwrote: I have the same question. I need to add Twitter OAuth to my widely distributed PHP based open-source CMS add-on. All the documentation says never ever distribute your consumer secret, which I understand why this would be a bad idea. Yet all of the documentation/examples I have found require that the consumer secret be hard-coded into the source. The closes thing I have found, that doesn't require the consumer secret embedded in the source, is a description of how it might work, http://groups.google.com/group/twitter-development-talk/browse_thread... But, I cannot find any docs/examples where this scenario has actually been implemented. It does exist. While I can't speak for Twitter and whatever internal issues are slowing up its rollout, TTYtter has been a test bed for the key exchange for some time now. Most of the users have found the process painless. You can see how a sample workflow works in the documentation, or try it yourself. The app itself is open Perl. http://www.floodgap.com/software/ttytter/ I'm sure Taylor will comment on what will be happening to roll it out to more potential consumers. -- personal: http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- People are weird. -- Law Order SVU ---
[twitter-dev] Re: Open-source, distributed PHP app and consumer secret
Hi Tom, Thanks for the thoughts. I like your second solution. To host a tweet service on my site (You can use your own server as a service which sends all requests to twitter. ). I spoke with a colleague of mine and his advice was the same. My question (concern) is doesn't this open me up as a potential target for would-be-do-badders and create an additional layer of potential security issues? Michael On Aug 1, 1:21 pm, Tom allerleiga...@gmail.com wrote: I've thought about this a lot myself as well, and haven't really came up with a proper solution either. - You can try encoding all of your code with zend encoder and hope that nobody decodes it. - You can use your own server as a service which sends all requests to twitter. (This would be my solution) - You can simply not care at all about the keys - after all, there is (imo) no real threat in exposing them to customers. - You can let them use the new Twitter extension for open source twitter clients - although I am not sure whether it's ready yet. Tom On Aug 1, 1:49 am, Michael Babcock mjet...@gmail.com wrote: So, I think the solution has to be that the user downloads my app, installs it on their site, then registers my app as their own app with dev.twitter. After which, they will receive their own key secret pair. They will then input their key secret pair into my app which is living on their site, stored in some configuration file or database settings table. This way I don't distribute my secret. They will have to store their own key secret pair, but this wouldn't be different than a site with its own proprietary solution. The only stick point is that I will not get any branding rights on their posts/tweets, as they will have registered the app as their own and will be in control of the post branding. The other option is to host a tweet service somewhere in the cloud. My app, installed on their site, would point to the service and they would have to grant permission to the service to make the tweets to their accounts. I like this second solution because it seems cleaner for the end user to set up and get running. However, this would mean that I would then be responsible for maintaining a service. And frankly, that sounds like a drag on resources. These two are the best solutions I can figure given the circumstances. Normally, I would wait for Twitter to get this sorted, however, I don't want to risk disappointing my user base when the August 16th deadline rolls around. Does these solutions sound viable or am I all wet? Pros, cons, alternatives? Thx. On Jul 27, 7:18 am, Decklin Foster deck...@red-bean.com wrote: Excerpts from Michael Babcock's message of Mon Jul 26 19:28:15 -0400 2010: So, I after spending the day looking through documentation, developer's discussion and testing various OAuth code bits, it is my understanding that there is no secure OAuth solution for open-source PHP developers. But, the August 16th deadline is still looming. I am also concerned about this. Here is the response I got from support: we're continuing to experiment with this feature, and have not made it available further. I apologize for the delay and inconvenience, but keep an eye on our developer talk group for future announcements. I have been watching this list for about a month (prior to checking with support) in case the feature is discussed here before being announced. @twitterapi, could we get some clarification on whether or not something will be ready before the August 16 deadline?
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
I think the issue is really that it is not a very elegant solution and is outside the realm of a standard non-technical persons experience. The whole idea of having the end-user register a pre-built app as their own is cumbersome. That said it is the only real solution to the dilemma. It is the solution that I have chosen for my own apps. On Aug 18, 4:22 am, Ken k...@cimas.ch wrote: I am new to this thread having seen it over the past few weeks and wondered what all the fuss was about. The solution by MindcrimeNL above seems optimal, why is it a workaround? Do developers not really want their users to register their own Twitter app? It's not exactly hard to do. You just need to tell them what to put for the callback URL... For opensource systems targeted at non-technical users, don't you provide a 'control panel' where the admin user can edit their preferences such as webmaster's email etc? Just like inserting your Google maps API key, Adsense id, Amazon associates id, etc. For applications with a more technical installation, you'd just have them edit a config file. On Aug 18, 11:34 am, MindcrimeNL hostmas...@gab-ev.de wrote: Still no solution:http://groups.google.com/group/twitter-development-talk/msg/58b4b54d4... After that initial message, it is apparently still not available... I've released my module by explaining in the readme how webmasters can add their own application and obtain the consumer public and secret key for their application and giving them an option to enter them in the module. I'm not really happy about this workaround... It just sucks... On Aug 1, 2:19 am, Michael Babcock mjet...@gmail.com wrote: Sorry for the confusion. I mean web application developers. There are quit a number ofopen-sourceweb apps for twitter. Besides standalone apps, there are also, add-ons for all the various CMS solutions out there, written in PHP, Perl, etc. On Jul 27, 2:02 pm, M. Edward (Ed) Borasky zn...@borasky- research.net wrote: There are plenty ofopensource*library* developers, and plenty of applications that useopensourcelibraries, but not all that many opensourcefull applications. The only ones I can think of at the moment are Gwibber (Gnome), Choqok (KDE), mine (Social Media Analytics Research Toolkit), Spaz, get2gnow, and ttytter. IMHO Choqok and Gwibber are lame - I use CoTweet or Twitter.com on my desktop and mobile.twitter.com, Twitter, Twidroid, Seesmic, Touiteur and Peep on my HTC Verizon Droid Incredible. The Twitter piece of Social Media Analytics Research Toolkit is at the moment read only, and as I noted earlier the main reason I even looked at oAuth was to get the 1500 (read) API calls per hour. Given the small number of users I have at the moment, it wouldn't be all that difficult to upgrade them to oAuth and 350 calls per hour one at a time by hand - all that would be required is to license that piece of code separately. ;-) -- M. Edward (Ed) Boraskyhttp://borasky-research.nethttp://twitter.com/znmeb A mathematician is a device for turning coffee into theorems. - Paul Erdos Quoting Michael Babcock mjet...@gmail.com: Correct me if I am wrong, but doesn't Twitter risk loosing a large percentage of their third partyopen-sourcedevelopers, by not having a solid solution for the required OAuth security changes in time for the deadline? I can only guess, but, I would think that theopen-sourcesegment would count for quite a large number of independent developers, all eager to build for and promote the Twitter vision. Michael On Jul 27, 8:59 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Folks, There are a few hold ups to rolling this out more widely, the most pressing being that we are currently unable to serve SSL content on dev.twitter.com-- there are also better solutions than this rudimentary one that we simply can't implement yet. We're also concerned with releasing (and supporting) a solution widely that we'll soon want to deprecate. Taylor On Tue, Jul 27, 2010 at 8:53 AM, Cameron Kaiser spec...@floodgap.comwrote: I have the same question. I need to add Twitter OAuth to my widely distributed PHP basedopen-sourceCMS add-on. All the documentation says never ever distribute your consumer secret, which I understand why this would be a bad idea. Yet all of the documentation/examples I have found require that the consumer secret be hard-coded into the source. The closes thing I have found, that doesn't require the consumer secret embedded in thesource, is a description of how it might work, http://groups.google.com/group/twitter-development-talk/browse_thread... But, I cannot
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
Well, as a testimony to this less than elegant solution (IMHO), I have rolled out my app (a PHP add-on for a popular CMS) with the the customer_key and customer_secret fields blank in a settings type control panel (db storage). I was very clear to provide a thorough walk through of the dev.twitter.com application registration process for my user-base. The walk through takes the site admin all the way through initial installation, app registration, twitter account authentication and sending their first tweet using the app. So, far I have had very few questions as to how to set up the app using the new system. And I have had no complaints. Hurray! On Aug 31, 2:08 am, Ken k...@cimas.ch wrote: oops. really, I had thought this through but got carried away with the 'transparent installation' idea. During the installation, the user would authenticate (via the software provider or directly with twitter?) - and then be delivered the credentials. Sorry. On Aug 31, 10:58 am, Ken k...@cimas.ch wrote: It seems that we are talking about two categories of applications. 1.) As in the subject of this thread, open-source CMS or other multi- user, membership or blogging systems. This type of system usually has some facility for the admin user/webmaster to change settings such as admin email address, error messages, API keys, etc. It makes sense for each deployment of such a system/module to be registered as a Twitter application (even if it is not an original unique application) if only because that way, the source or via tag would be a link back to the individual deployment and not to the original developers of the software. In these cases the person installing the system can probably be counted on to have the ability and willingness to go to twitter.com and register an app, following the instructions provided by the software developers (you guys). 2.) Single-user server or open-source desktop app. I don't know all the details of Xauth, but it seems to involve some manual effort by Twitter. So apologies up front if the following already exists, has been rejected, or doesn't make sense: If the single-user server or open-source desktop app has been approved by Twitter, why not build in to the app a call to the Twitter API that would create and install the needed credentials? The callback url would be defined by the app, the other properties could be taken from the details proved by the user at install time. This could even be executed transparently during the installation. This new API endpoint would return something like what we now get using My Access Token. Ken On Aug 31, 2:30 am, John SJ Anderson geneh...@gmail.com wrote: I think it's far better developer/business practice to design *proprietary* applications that are secure and register them with Twitter using xAuth. As has been said time and time again, proprietary is not a solution for this, as any non-hosted app using OAuth can have the keys extracted from it. Additionally, some of us would like to write Free or Open Source applications, that people can use on their own machines, without requiring them to register as Twitter developers. It used to be possible to do this. sigh j. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en