Re: [twitter-dev] OAuth and Hardware
On 8/11/10 6:30 PM, ERenken wrote: So how can I use OAuth on a hardware device we are creating that doesn't have a UI? Can I share the key between all the devices? This is only twittering to 1 account that we have created. Seems like OAuth is going to make stuff like this harder for people to develope. Seems like it would have just bee easier for security if you would have added HTTPS and left basic auth. At least for embedded devices so they could send tweets. If there's no chance of the key leaking to people outside of your company (or whoever uses your application) then I don't see why not. It's always better than sharing username/password like with Basic Auth, and if they all use the same account, it's no problem at all. Of course, a better solution would be to create a simple proxy, but that may take some more programming and money if you don't have a server for it. Tom
Re: [twitter-dev] OAuth and Hardware
One implementation option you have is to build only the portions of OAuth that you need to meet your goals. On dev.twitter.com we provide a feature that allows you to retrieve the access token for your own account, owning the application. You would then hard code this access token and your API keys within your device (with best effort security). The migration from basic auth isn't an issue of protecting from man-in-the-middle attacks (such that SSL would prevent) but more of an issue with applications having access to Twitter usernames and passwords. There are many people who use the same passwords across multiple sites, so the security risk of supporting basic auth does not stop at Twitter. Taylor On Wed, Aug 11, 2010 at 9:30 AM, ERenken eren...@gmail.com wrote: So how can I use OAuth on a hardware device we are creating that doesn't have a UI? Can I share the key between all the devices? This is only twittering to 1 account that we have created. Seems like OAuth is going to make stuff like this harder for people to develope. Seems like it would have just bee easier for security if you would have added HTTPS and left basic auth. At least for embedded devices so they could send tweets.