I wasn't thinking about downstream requests where you still need both tokens, just token requests ... yeah, that's rough.
On Sat, Jul 4, 2009 at 10:38 PM, Dossy Shiobara<[email protected]> wrote: > > On 7/4/09 5:30 AM, Andrew Badera wrote: >> >> I haven't done much "real" desktop OAuth, mostly web ... but can't you >> simply proxy the request through your own server, and keep the secret >> on your server, serving client requests centrally? > > Yes, yes you can - then you get to enjoy the Twitter rate limit issue and > having to scale to accomodate concurrent sessions. > > The "beauty" of desktop applications is the decentralized nature, using > resources "close" to the user (as opposed to "further away" on a server). > This means scaling per user is "built in" as the user brings their own > resources. > > OAuth's implicit requirement of funneling everything through a server in > order to protect a secret is a defect in the design of OAuth, one that I've > raised on the OAuth mailing lists to which I received the response of "well, > that's not a problem OAuth is trying to solve." In other words: EPIC FAIL. > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) >
