This is a good discussion - I've yet to find a canonical answer for how this *should* be done for client-side/consumer apps.
If you are distributing a server application, then putting the application registration instructions in a README is perhaps not such a big deal. Desktop/mobile apps are another matter though. It's also worth saying that even if you could find a secure way of distributing a consumer key, you gotta ask if its even the right thing to be doing. I think not. Definitely not. Once the code is "out there", I don't want everyone authenticating with _my_ application registration and consumer key (at this point, I have no way of knowing that the app hasn't been modified in some way that I do not approve of. I risk one rogue instance getting me blacklisted and in turn disabling every other instance. Great, DoS by design). Since the README approach is such a big no-no for client-side/consumer apps, the question I'd be asking is: where is the API for performing an initial application registration/bootstrap? i.e. an example of the scenario I have in mind (considering a desktop app): - user installs the app - on first use, directs the user through online login to twitter and automatic oauth client app request - newly registered application credentials transparently returned to the application (securely; somehow) - application saves the (instance specific) application key and consumer secret; uses these for standard oauth in subsequent sessions. Does anything along these lines already exist? If so, I haven't stumbled upon it yet. Regards, Paul http://tardate.com On Mon, Aug 17, 2009 at 9:01 PM, Joseph Cheek <jos...@cheek.com> wrote: > > This is interesting Chris, as I have had the same question. How would > you propose to distribute a usable FLOSS twitter app that uses Oauth to > authenticate itself but doesn't include the app's consumer key and > consumer secret? fetch the key and secret at runtime from a secure > server somewhere? that could be trivially intercepted. > > Joseph Cheek > @cheekdotcom > > Chris Babcock wrote: > > On Sun, 16 Aug 2009 18:49:49 -0400 > > Jason Martin <legos.j...@gmail.com> wrote: > > > > > >> On another note, how "Open Source friendly" is OAuth? I'm not sure > >> if people who write open source software want to be giving out their > >> Consumer Secret key in their source code > >> > > > > Reasoning from a faulty premise. > > > > When you know your code is going to be seen you either avoid doing > > stupid things like hard coding credentials or you learn fast that > > configuration data is not code. > > > > (Now where I did leave my virtual haddock?) > > > > Chris Babcock > > > > > > > > >
