This is a good discussion - I've yet to find a canonical answer for how this
*should* be done for client-side/consumer apps.

If you are distributing a server application, then putting the application
registration instructions in a README is perhaps not such a big deal.
Desktop/mobile apps are another matter though.

It's also worth saying that even if you could find a secure way of
distributing a consumer key, you gotta ask if its even the right thing to be
doing. I think not. Definitely not. Once the code is "out there", I don't
want everyone authenticating with _my_ application registration and consumer
key (at this point, I have no way of knowing that the app hasn't been
modified in some way that I do not approve of. I risk one rogue instance
getting me blacklisted and in turn disabling every other instance. Great,
DoS by design).

Since the README approach is such a big no-no for client-side/consumer apps,
the question I'd be asking is: where is the API for performing an initial
application registration/bootstrap?

i.e. an example of the scenario I have in mind (considering a desktop app):
- user installs the app
- on first use, directs the user through online login to twitter and
automatic oauth client app request
- newly registered application credentials transparently returned to the
application (securely; somehow)
- application saves the (instance specific) application key and consumer
secret; uses these for standard oauth in subsequent sessions.

Does anything along these lines already exist? If so, I haven't stumbled
upon it yet.


On Mon, Aug 17, 2009 at 9:01 PM, Joseph Cheek <> wrote:

> This is interesting Chris, as I have had the same question.  How would
> you propose to distribute a usable FLOSS twitter app that uses Oauth to
> authenticate itself but doesn't include the app's consumer key and
> consumer secret?  fetch the key and secret at runtime from a secure
> server somewhere?  that could be trivially intercepted.
> Joseph Cheek
> @cheekdotcom
> Chris Babcock wrote:
> > On Sun, 16 Aug 2009 18:49:49 -0400
> > Jason Martin <> wrote:
> >
> >
> >> On another note, how "Open Source friendly" is OAuth? I'm not sure
> >> if people who write open source software want to be giving out their
> >> Consumer Secret key in their source code
> >>
> >
> > Reasoning from a faulty premise.
> >
> > When you know your code is going to be seen you either avoid doing
> > stupid things like hard coding credentials or you learn fast that
> > configuration data is not code.
> >
> > (Now where I did leave my virtual haddock?)
> >
> > Chris Babcock
> >
> >
> >
> >

Reply via email to