> The worst that happens if you publish the consumer tokens in an > opensouce app is someone malicious uses it to abuse Twitter and the > consumer token gets banned. At which point you regenerate a new one > and push a new version of the app. The cycle may or may not start > again depending on the malicious party. > > They can not act upon user accounts without the users going through > the authorize flow. Using basic auth it is already possible to use any > source and "impersonate" another application so not much is changing > here except better security for web applications.
But the situation you state above is a bigger price to pay than if an app is impersonated via basic auth. In basic auth, it's simply cosmetic. In OAuth, you can certainly cause no small amount of turmoil by forcing open source apps to push out new versions by no fault of their own. That's not exactly an even playing field. -- ------------------------------------ personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- Man who live in glass house dress in basement. -----------------------------
