True, but none of that addresses the central points that I'm trying to

1. The OAuth Core documentation says that providers should not rely on
the Consumer Secret to identify consumers.
2. Twitter's implementation of OAuth appears to do exactly what the
OAuth Core documentation says not to do.
3. As a result, open-source developers have to expose the Consumer
Secret for their application, opening their keys to potential abuse
and eventual cancellation by Twitter.

That's a problem.

What's done is done and I don't expect Twitter to abandon OAuth.  But
it's an important issue that's worth talking about because it's a
security risk for developers of desktop clients.

On Jul 1, 9:50 am, Abraham Williams <> wrote:
> True. But I'm pretty sure that there are more active grandfathered
> sources then OAuth sources. And it takes nothing to create a new OAuth
> application that has the same source as an existing OAuth application
> but with only a slightly different name.

Reply via email to