I wasn't thinking about downstream requests where you still need both
tokens, just token requests ... yeah, that's rough.




On Sat, Jul 4, 2009 at 10:38 PM, Dossy Shiobara<do...@panoptic.com> wrote:
>
> On 7/4/09 5:30 AM, Andrew Badera wrote:
>>
>> I haven't done much "real" desktop OAuth, mostly web ... but can't you
>> simply proxy the request through your own server, and keep the secret
>> on your server, serving client requests centrally?
>
> Yes, yes you can - then you get to enjoy the Twitter rate limit issue and
> having to scale to accomodate concurrent sessions.
>
> The "beauty" of desktop applications is the decentralized nature, using
> resources "close" to the user (as opposed to "further away" on a server).
>  This means scaling per user is "built in" as the user brings their own
> resources.
>
> OAuth's implicit requirement of funneling everything through a server in
> order to protect a secret is a defect in the design of OAuth, one that I've
> raised on the OAuth mailing lists to which I received the response of "well,
> that's not a problem OAuth is trying to solve."  In other words: EPIC FAIL.
>
> --
> Dossy Shiobara              | do...@panoptic.com | http://dossy.org/
> Panoptic Computer Network   | http://panoptic.com/
>  "He realized the fastest way to change is to laugh at your own
>    folly -- then you can let go and quickly move on." (p. 70)
>

Reply via email to