[twitter-dev] Re: Protected Resources requests need not be signed by the Consumer secret?
I've been using both consumer keys to sign all of my requests from day one. I still think the issue is related to URL encoding somehow, because I can successfully post tweets if they don't contain troublesome characters (apostrophe, for example). But, so long as Twitter remains silent, we'll never know. On Jul 25, 7:37 am, srikanth yaradla srikanth.yara...@gmail.com wrote: Hi I am newbie and i need clarification for the following 1)OAuth 1.0 specification says All Token requests and Protected Resources requests MUST be signed by theConsumer But twitter doesnt seem to verify the signature for all requests. I found out that signing the request byconsumersecretis required only for generating request token and requestsecret. But for subsequent requestsconsumersecretis not required. ex requesting access tokens or any protected resource (ex fetch direct messages). Is this desired behavior?. Does twitter verify the signature at all for protected resource requests? (i verified with blankconsumersecretwhich means the request is signed only by accesssecret) Or Am i missing something? 2) i am planning to write a desktop application. To protect theconsumersecreti am trying to introduce a proxy which generates the request tokens/secrets, access tokens/secrets. Ifconsumersecretis not required for signing protected resource requests this setup would work fine with me. But the OAuth specification says you require both accesssecretandconsumersecretto sign the request http://oauth.net/core/1.0/#anchor30 Experienced devs please clarify. Regards Srikanth
[twitter-dev] Re: Protected Resources requests need not be signed by the Consumer secret?
I dont think you got my point. Whether you were signing using both secrets or one secret doesnt matter because twitter wasnt verifying signature at all. Now they have fixed this and all your protected service requests must be signed by both secrets. My problem is how to protect the consumer secret. Looks like i cant protect it as this is the case with desktop clients using oauth On Tue, Jul 28, 2009 at 6:30 PM, Duane Roelands duane.roela...@gmail.comwrote: I've been using both consumer keys to sign all of my requests from day one. I still think the issue is related to URL encoding somehow, because I can successfully post tweets if they don't contain troublesome characters (apostrophe, for example). But, so long as Twitter remains silent, we'll never know. On Jul 25, 7:37 am, srikanth yaradla srikanth.yara...@gmail.com wrote: Hi I am newbie and i need clarification for the following 1)OAuth 1.0 specification says All Token requests and Protected Resources requests MUST be signed by theConsumer But twitter doesnt seem to verify the signature for all requests. I found out that signing the request byconsumersecretis required only for generating request token and requestsecret. But for subsequent requestsconsumersecretis not required. ex requesting access tokens or any protected resource (ex fetch direct messages). Is this desired behavior?. Does twitter verify the signature at all for protected resource requests? (i verified with blankconsumersecretwhich means the request is signed only by accesssecret) Or Am i missing something? 2) i am planning to write a desktop application. To protect theconsumersecreti am trying to introduce a proxy which generates the request tokens/secrets, access tokens/secrets. Ifconsumersecretis not required for signing protected resource requests this setup would work fine with me. But the OAuth specification says you require both accesssecretandconsumersecretto sign the request http://oauth.net/core/1.0/#anchor30 Experienced devs please clarify. Regards Srikanth
[twitter-dev] Re: Protected Resources requests need not be signed by the Consumer secret?
I have the same issue with my application. Desktop apps are forced to either embed the consumer keys in source code or construct some sort of elaborate server mechanism. There's no good answer here. When my application approaches 1.0 release, I'll probably use Dotfuscator or something similar to help protect the keys that are in the source. It won't stop a determined attacker, but it will at least deter the less-determined ones. On Jul 28, 10:38 am, srikanth reddy srikanth.yara...@gmail.com wrote: I dont think you got my point. Whether you were signing using both secrets or one secret doesnt matter because twitter wasnt verifying signature at all. Now they have fixed this and all your protected service requests must be signed by both secrets. My problem is how to protect the consumer secret. Looks like i cant protect it as this is the case with desktop clients using oauth On Tue, Jul 28, 2009 at 6:30 PM, Duane Roelands duane.roela...@gmail.comwrote: I've been using both consumer keys to sign all of my requests from day one. I still think the issue is related to URL encoding somehow, because I can successfully post tweets if they don't contain troublesome characters (apostrophe, for example). But, so long as Twitter remains silent, we'll never know. On Jul 25, 7:37 am, srikanth yaradla srikanth.yara...@gmail.com wrote: Hi I am newbie and i need clarification for the following 1)OAuth 1.0 specification says All Token requests and Protected Resources requests MUST be signed by theConsumer But twitter doesnt seem to verify the signature for all requests. I found out that signing the request byconsumersecretis required only for generating request token and requestsecret. But for subsequent requestsconsumersecretis not required. ex requesting access tokens or any protected resource (ex fetch direct messages). Is this desired behavior?. Does twitter verify the signature at all for protected resource requests? (i verified with blankconsumersecretwhich means the request is signed only by accesssecret) Or Am i missing something? 2) i am planning to write a desktop application. To protect theconsumersecreti am trying to introduce a proxy which generates the request tokens/secrets, access tokens/secrets. Ifconsumersecretis not required for signing protected resource requests this setup would work fine with me. But the OAuth specification says you require both accesssecretandconsumersecretto sign the request http://oauth.net/core/1.0/#anchor30 Experienced devs please clarify. Regards Srikanth