True, but none of that addresses the central points that I'm trying to make:
1. The OAuth Core documentation says that providers should not rely on the Consumer Secret to identify consumers. 2. Twitter's implementation of OAuth appears to do exactly what the OAuth Core documentation says not to do. 3. As a result, open-source developers have to expose the Consumer Secret for their application, opening their keys to potential abuse and eventual cancellation by Twitter. That's a problem. What's done is done and I don't expect Twitter to abandon OAuth. But it's an important issue that's worth talking about because it's a security risk for developers of desktop clients. On Jul 1, 9:50 am, Abraham Williams <4bra...@gmail.com> wrote: > True. But I'm pretty sure that there are more active grandfathered > sources then OAuth sources. And it takes nothing to create a new OAuth > application that has the same source as an existing OAuth application > but with only a slightly different name.