Re: [twitter-dev] Re: OAuth and Hardware
On 8/12/10 3:07 AM, ERenken wrote: Does the token ever expire? Eric On Aug 11, 9:38 am, Taylor Singletary taylorsinglet...@twitter.com wrote: One implementation option you have is to build only the portions of OAuth that you need to meet your goals. On dev.twitter.com we provide a feature that allows you to retrieve the access token for your own account, owning the application. You would then hard code this access token and your API keys within your device (with best effort security). The migration from basic auth isn't an issue of protecting from man-in-the-middle attacks (such that SSL would prevent) but more of an issue with applications having access to Twitter usernames and passwords. There are many people who use the same passwords across multiple sites, so the security risk of supporting basic auth does not stop at Twitter. TaylorOn Wed, Aug 11, 2010 at 9:30 AM, ERenken eren...@gmail.com wrote: So how can I use OAuth on a hardware device we are creating that doesn't have a UI? Can I share the key between all the devices? This is only twittering to 1 account that we have created. Seems like OAuth is going to make stuff like this harder for people to develope. Seems like it would have just bee easier for security if you would have added HTTPS and left basic auth. At least for embedded devices so they could send tweets. Currently, no. However, somewhere in the documentation it states that this may be changed in the future. Tom
Re: [twitter-dev] Re: OAuth and Hardware
On 8/12/10 3:07 AM, ERenken wrote: Does the token ever expire? Eric On Aug 11, 9:38 am, Taylor Singletary taylorsinglet...@twitter.com wrote: One implementation option you have is to build only the portions of OAuth that you need to meet your goals. On dev.twitter.com we provide a feature that allows you to retrieve the access token for your own account, owning the application. You would then hard code this access token and your API keys within your device (with best effort security). The migration from basic auth isn't an issue of protecting from man-in-the-middle attacks (such that SSL would prevent) but more of an issue with applications having access to Twitter usernames and passwords. There are many people who use the same passwords across multiple sites, so the security risk of supporting basic auth does not stop at Twitter. TaylorOn Wed, Aug 11, 2010 at 9:30 AM, ERenken eren...@gmail.com wrote: So how can I use OAuth on a hardware device we are creating that doesn't have a UI? Can I share the key between all the devices? This is only twittering to 1 account that we have created. Seems like OAuth is going to make stuff like this harder for people to develope. Seems like it would have just bee easier for security if you would have added HTTPS and left basic auth. At least for embedded devices so they could send tweets. As a reply to my previous e-mail: Your question is listed on the FAQ :-) http://dev.twitter.com/pages/oauth_faq Tom
Re: [twitter-dev] Re: OAuth and Hardware
On 8/12/10 3:10 AM, ERenken wrote: I thought about doing the proxy, but I liked having the device do it itself and alot less code just having the device do it. I will just hard code it. I would assume we can invalidate a token if for some reason it is comprimised. Like managing applications in FaceBook. Eric On Aug 11, 9:36 am, Tom van der Woerdt i...@tvdw.eu wrote: On 8/11/10 6:30 PM, ERenken wrote: So how can I use OAuth on a hardware device we are creating that doesn't have a UI? Can I share the key between all the devices? This is only twittering to 1 account that we have created. Seems like OAuth is going to make stuff like this harder for people to develope. Seems like it would have just bee easier for security if you would have added HTTPS and left basic auth. At least for embedded devices so they could send tweets. If there's no chance of the key leaking to people outside of your company (or whoever uses your application) then I don't see why not. It's always better than sharing username/password like with Basic Auth, and if they all use the same account, it's no problem at all. Of course, a better solution would be to create a simple proxy, but that may take some more programming and money if you don't have a server for it. Tom Yes, you can. At http://dev.twitter.com/apps you can simply click Reset. Tom