@chris
You cannot ask every user to get new consumer token/secret.
There is no way you can protect a consumer secret.
@Joseph
<<fetch the key and secret at runtime from a secure
server somewhere?  that could be trivially intercepted.>>
As far as i know this is the best way to hide the consumer secret. This will
not stop a determined user who try to intercept the keys but you have the
option of changing your key/secret values( for a consumer) periodically.
Other options are obfuscating/encrypting secrets at client side (again it
will not stop a determined user). But the key management is difficult here
as you have to download the app everytime(or whenever the risk of keys being
compromised is high)

Srikanth


On Mon, Aug 17, 2009 at 6:31 PM, Joseph Cheek <jos...@cheek.com> wrote:

>
> This is interesting Chris, as I have had the same question.  How would
> you propose to distribute a usable FLOSS twitter app that uses Oauth to
> authenticate itself but doesn't include the app's consumer key and
> consumer secret?  fetch the key and secret at runtime from a secure
> server somewhere?  that could be trivially intercepted.
>
> Joseph Cheek
> @cheekdotcom
>
> Chris Babcock wrote:
> > On Sun, 16 Aug 2009 18:49:49 -0400
> > Jason Martin <legos.j...@gmail.com> wrote:
> >
> >
> >> On another note, how "Open Source friendly" is OAuth? I'm not sure
> >> if people who write open source software want to be giving out their
> >> Consumer Secret key in their source code
> >>
> >
> > Reasoning from a faulty premise.
> >
> > When you know your code is going to be seen you either avoid doing
> > stupid things like hard coding credentials or you learn fast that
> > configuration data is not code.
> >
> > (Now where I did leave my virtual haddock?)
> >
> > Chris Babcock
> >
> >
> >
> >
>

Reply via email to