Might sorta work on webapps, or maybe desktop compiled code (assuming the config is compiled in at build time), but that doesn't help for desktop apps written in interpreted langs, where all source code and configs would be easily viewable (although I could imagine some initial setup stuff where it could get obscured).
Not that I'm on either side of whatever this is. On Jul 1, 9:32 am, Andrew Badera <[email protected]> wrote: > The secret should not reside in code. The secret should reside in a > config file, or maybe even a machine datastore. Abstract it out, no > one ever needs to see anything secret in your code. > > Thanks- > - Andy Badera > - [email protected] > - Google me:http://www.google.com/search?q=andrew+badera > - This email is: [ ] bloggable [x] ask first [ ] private > > On Wed, Jul 1, 2009 at 9:25 AM, DWRoelands<[email protected]> wrote: > > > If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/ > > core/1.0#anchor4) states it pretty plainly: > > > "Service Providers SHOULD NOT rely on the Consumer Secret as a method > > to verify the Consumer identity, unless the Consumer Secret is known > > to be inaccessible to anyone other than the Consumer and the Service > > Provider." > > > This is exactly what Twitter has done with the Consumer Secret; they > > rely on it to verify the Consumer identity. > > > This is a thorny dilemma for open source developers. There's no way > > to share the source code without compromising your application's > > security, because you've got to include the Consumer Key Secret in the > > source. You can obfuscate and encrypt, but a malicious actor with > > access to the source code can simply "step through" the code until the > > Consumer Secret is exposed in plain text. > > > In any event, what's done is done, and Twitter certainly isn't going > > to abandon OAuth at this point. But opening the source of my Twitter > > client seems to be out of the question if I want to use OAuth. > > > On Jul 1, 8:10 am, Philip Plante <[email protected]> wrote: > >> I do not feel you've made a mountain out of a mole hill here. This > >> topic has been on my mind since I first encountered oAuth. I haven't > >> seen any open source apps use oAuth yet. > >
