Silly me. I thought someone was talking about distributing source code.
Building an enduser distribution is somewhat to entirely different.

First, there really isn't any point to using OAuth for a client unless
the client code lives on the network. The whole advantage of the scheme
is that the user does not have to disclose credentials to one or more
third parties. An application that doesn't access a third party network
should use basic authentication over HTTPS.

If Twitter decides to eliminate basic auth then the correct way (from a
security stand point) to implement OAuth would be to obtain a separate
key for each client. I don't see the current OAuth spec as being set up
to handle bulk key assignments, but you can't distribute a single key to
multiple clients outside of your network. Whether or not the app is
Open Source is a non-issue; It's complete FUD-rucking to imply that it
is any diffent distributing a secret key in a close source app than it
would be to do so in an open source app.

What happens if you try to use a screwdriver as a hammer? It's the same
thing here only someone had to drag Open Source into as if that made
any kind of a difference. To top it off, the OP had a complete
misunderstanding of the consequences of key disclosure. "A Spammer
could use it and get your app banned..." as if that's of any
consequence compared to the users' accounts getting hijacked by apps
impersonating your client.

And what's with keeping score as if Open Auth and basic were a couple
of talking tools on Disney Channel having some sort of ludicrous
rivalry?

Chris Babcock
 

> This is interesting Chris, as I have had the same question.  How would
> you propose to distribute a usable FLOSS twitter app that uses Oauth
> to authenticate itself but doesn't include the app's consumer key and
> consumer secret?  fetch the key and secret at runtime from a secure
> server somewhere?  that could be trivially intercepted.
> 
> Joseph Cheek
> @cheekdotcom
> 
> Chris Babcock wrote:
> > On Sun, 16 Aug 2009 18:49:49 -0400
> > Jason Martin <legos.j...@gmail.com> wrote:
> >
> >   
> >> On another note, how "Open Source friendly" is OAuth? I'm not sure
> >> if people who write open source software want to be giving out
> >> their Consumer Secret key in their source code
> >>     
> >
> > Reasoning from a faulty premise.
> >
> > When you know your code is going to be seen you either avoid doing
> > stupid things like hard coding credentials or you learn fast that
> > configuration data is not code.
> >
> > (Now where I did leave my virtual haddock?)
> >
> > Chris Babcock

Reply via email to